DOCUMENT RESUME 



ED 275 349 



IR 051 697 



TITLE 



INSTITUTION 
REPORT NO 
PUB DATE 
NOTE 

AVAILABLE FROM 



PUB TYPE 



EDRS PRICE 
DESCRIPTORS 



IDENTIFIERS 



Privacy Act. Federal Agencies* Implementation Can Be 
Improved. Report to the Chairman, Subcommittee on 
Government Information, Justice, and Agriculture, 
Committee on Government Operations, House o£ 
Representatives • 

General Accounting Office, Washington, D.C« 

GAO/GGD-86-107 

Aug 86 

62p. 

General Accounting Office, PC Box 6015, Gaithersburg, 
MD 20877 (first 5 copies free, additional copies, 
$2.00 each). 

Legal/Legislative/Regulatory Materials (090) — 
Reports - Research/Technical (143) 

MF01/PC03 Plus Postage. 

Access to Information; Automation; ^Compliance 
(Legal); Disclosure; Federal Government; ^Federal 
Regulation; Information Dissemination; Information 
Storage; Information Systems; Legislation; ^Privacy; 
^Public Agencies; Recordkeeping 

Office of Management and Budget; ^Privacy Act 1974 



ABSTRACT 

In order to examine the implementation of the Privacy 
Act of 1974 by federal government agencies, the General Accounting 
Office (GAO) examined organizational issues at 13 cabinet-level 
departments and the Veterans Administration and reviewed Privacy Act 
operations in detail at 6 of these agencies and 37 of their 
components. This study focused on how the agencies have (1) organized 
their Privacy Act activities, and (2) followed selected provisions of 
the Act and Office of Management and Budget (OMB) guidelines. GAO 
found that agencies have taken highly decentralized approaches to 
implementing the law, and often have not established clear lines of 
responsibility and accountability for Privacy Act functions. As a 
result of the study, GAO made a number of recommendations to the OMB 
for improvement in oversight, agency evaluation, and certain OMB 
guidelines pertaining to such activities as computer matching 
programs. Supporting material is provided in three tables and three 
appendices; a glossary is also included. (KM) 



*********** 

* Reproductions supplied by EDRS are the best that can be made * 

* from the original document. * 
*********************************************************************** 



GAO 



United States 

General Accounting Of Hce 

Washington, D.C. 20548 



General Government Division 

B-223140 

August 22, 1986 

The Honorable Glenn English 
Chairman, Subcommittee on Government 

Information, Justice, and 

Agriculture 
Committee on Government Operations 
House of Representatives 

Dear Mr. Chairman: 

This report is in response to your request that we examine how federal agencies 
have implemented the Privacy Act of 1974. The report addresses the organizational 
structures adopted by agencies, the roles of agency Privacy Act officers, and agency 
adherence to Privacy Act provisions and Office of Management and Budget (omb) 
guidance. 

As arranged with your office, unless you publicly announce the contents of the 
report earlier, we plan no further distribution until 30 days from the date of the 
report. At that time we will send copies to omb, the Cabinet departments and the 
Veterans Administration, congressional conunittees having an interest in privacy- 
related matters, and other interested parties. Additionally, we v. Ill make copies 
available to others upon request. 

Sincerely yours. 




William J. Anderson 
Director 



EKLC 



3 



Ekecutive Summary 



Federal agencies collect and use virtually billions of records containing 
personal information on individuals. The possession of such vast quanti- 
ties of personal information has raised public and congressional con- 
cerns over the ability to protect and balance the privacy of individuals 
in relation to the information needs of government. This concern has 
grown as expanding information technologies are providing for faster, 
broader, and less expensive access to these sensitive records. 

GAO was requested by the Chairman, Subcommittee on Government 
Information, Justice, and Agriculture, House Committee on Government 
Operations, to examine agencies* implementation of the Privacy Act of 
1974, the principal law aimed at protecting personal privacy. This 
report provides an analysis of how agencies have (1) organized their 
Privacy Act activities and (2) followed selected provisions of the act and 
Office of Management and Budget (omb) implementing guidelines. 



The Privacy Act of 1974 provides certain safeguards to individuals 
against invasion of privacy by requiring federal agencies to establish 
rules and procedures for maintaining and protecting personal data in 
agency record systems. 

A basic premise of the law is that information about individuals should 
not be maintained in secret files. With some exceptions, individuals have 
the right to (1) know what records pertaining to them are collected, 
maintained, used, and disseminated by the agencies; (2) have access to 
agencies* information pertaining to them and to amend or correct the 
information; and (3) prevent information obtained by agencies for a spe- 
cific purpose from being disclosed for another purpose without their 
consent. 

The act also requires agencies to insure that any records of identifiable 
personal information they maintain are for necessary and relevant pur- 
poses, that they are current and accurate for their intended uses, and 
that adequate safeguards are provided to prevent misuse of such infor- 
mation. Each agency is responsible for implementing the act with guid- 
ance and oversight from omb. (See pp. 8 to 10.) 

GAO examined organizational issues at 13 Cabinet-level departments and 
the Veterans Administration and reviewed Privacy Act operations in 
detail at six of these agencies and 37 of their components. 



Purpose 



Background 



EKLC 



Page 2 



GAO/GOD-86-107 Privacy Act Implementation 

4 



Executive Summary 



Results in Brief Agencies have taken highly decentralized approaches to implementing 

xvtJ&ui W5 11 Di itJi ^^^^ ^^^^ established clear lines of responsibility and 

accountability for Privacy Act functions. All of the 14 agencies had Pri- 
vacy Act officers or their equivalent; however, the officers' limited 
responsibilities and resources indicated that they did not exercise the 
oversight originally envisioned by omb. At the six agencies gao reviewed 
in detail, improvements were needed in adhering to omb guidance 
relating to such activities as computer matching programs, risk assess- 
ments, evaluations, and training. 



Clearer Responsibility and The degree to which Privacy Act responsibilities were clearly delineated 
Accountability Needed accountability established varied widely among the agencies. Three 

of the 14 agencies did not have agencywide directives specifying respon- 
sibilities. The other 1 1 agencies had published directives, but they gen- 
erally lacked detail and specificity. For example. Privacy Act functions 
such as computer matching, compliance evaluations, and training were 
frequently not addressed in the directives. (See pp. 15 to 17.) 



Privacy Act Officers Have The position of Privacy Act officer was established to provide coordina- 
Limited Roles ^^^^ oversight of Privacy Act implementation. GAO's analysis of 

agency directives and position descriptions, however, showed that sig- 
nificant functions such as ensuring compliance and providing Privacy 
Act training were not always assigned. Even if these and other responsi- 
bilities were assigned, it is doubtful that the Privacy Act officers could 
carry them out given the resources made available to them. These indi- 
viduals generally held mid-level management positions and conducted 
Privacy Act activities on a part-time basis, in 10 agencies less than half- 
time. Five officers had no staff resources. Of the nine who had assist- 
ants, seven had fewer than the full-time equivalent of 1 staff. (See pp. 
18 to 22.) 



Many Improvements 
Needed at the Six Agencies 
Reviewed in Detail 



While OMB asks agencies to conduct detailed risk assessments for newly 
created or modified record systems to assure security and confidenti- 
ality, the six agencies in gao's detailed review could provide evidence of 
an assessment for only 1 of 27 record systems. Five of the six agencies 
did not report accurate data to omb on the extent of their computer 
matching activities. In addition, of 26 computer matching programs, 6 
did not follow omb guidance. The training needs of the hundreds of indi- 
viduals responsible for Privacy Act compliance had not been assessed or 
provided in a systematic manner. The agencies did not routinely conduct 



ERIC 



Page 3 GAO/GGD-80-107 Privacy Act Implementation 



Executive Summary 



internal evaluations of Privacy Act operations. Where matching and 
other activities related to the Privacy Act were conducted, Privacy Act 
officers at both agency and component levels were frequently unaware 
of and uninvolved in them. (See ch. 3.) 



RprnTYiTYipnHatinrm Because of omb's key role in managing executive branch operations and 

ivecuiiuuciiuciuuii& j.gj^^ responsibilities assigned to it by the Privacy Act, gao 

makes a number of recommendations to omb for improvement in over- 
sight, agency evaluation, and omb guidelines pertaining to such activities 
as computer matching programs. (See pp. 48 to 49.) 



AffCnCV ConunentS believes gao's recommendations are reasonable and has been 

^ ^ working to implement some of them, omb's other comments concerned 

such areas as the Paperwork Reduction Act, the role of Privacy Act 
officers in relation to senior officials, and the impact of concurrent 
responsibilities on Privacy Act officers' duties. (See pp. 49 to 50.) 



Page 4 



6 



GAO/GGD-8C-107 Privacy Act Implementation 



Contents 



Executive Summary 



Chapter 1 8 

Introduction Agencies* Responsibilities Under the Privacy Act 8 

The Role of the Office of Management and Budget 10 

Objectives, Scope, and Methodology 12 



Chapter 2 h 

Agencies Need to Privacy Act Responsibilities Are Highly Dispersed 14 

PloH- Fl r P ' n Throughout the Agencies , 

xJecier JJeiine rnvacy improved Directives Are Needed to Conununicate Privacy 16 
Act Responsibilities Act Responsibilities 

Role of Departmental Privacy Act Officer Needs to Be 18 
Reexamined 

Privacy Issues Not Covered by the Act 22 



Chapter 3 24 

Experiences of Six Detailed Risk Assessments Were Not Conducted or Were 26 

A ^ - or Not Available for New and Revised Systems of 

Agencies Show Records 

IlUprOVementS Are Agency Automation of Systems of Records 27 

Npedpd Improvements Can Be Made in Overseeing Computer 29 

Matching 

Agencies Need to Better Monitor Privacy Act Training 40 

Agencies Need to Evaluate Privacy Act Activities 41 



Chapter 4 46 

Ck)nclusions and conclusions 46 

P r1 f Recommendations 48 

KeCOnunenaatlOnS Agency comments and Our Evaluation 49 



Tables Table 2.1: Functions Assigned to Privacy Act Officers by 19 

14 Agencies 

Table 2.2: Location and Resources of Agency Privacy Act 20 
Officers and Staff 

Table 3.1: 1983 Computer Matching Programs at Six 32 
Agencies 



? 

Page 6 GAO/GGI>8(1-107 Privacy Act ImplcmenteUon 

O 

ERIC 



Contenu 



Appendixes Appendix I: Letter Dated January 4, 1984, From the 52 

Chairman of the Subcommittee on Government 
Information, Justice, and Agriculture 
Appendix II: Location and Resour « . Component 54 
Privacy Act Staff 

Appendix III: Comments From the 0» ' ice of Management 57 
and Budget 

Glossary 59 



Abbreviations 



BOP 


Bureau of Prisons 


DOD 


Department of Defense 


GAO 


General Accounting Office 


HHS 


Health and Human Services 


HUD 


Housing and Urban Development 


IRS 


Internal Revenue Service 


NASA 


National Aeronautics and Space Adrainistration 


OCSB 


Office of Child Support Enforcement 


OGC 


Office of General Counsel 


OIG 


Office of Inspector General 


0MB 


Office of Management and Budget 


OTA 


Office of Technology Assessment 


PUS 


Public Health Service 


SSA 


Social Security Administration 


VA 


Veterans Administration 



ERIC 



Page 7 OAO/GGD-WH07 Privacy Act Implcmcuutlon 

8 



Chapter 1 

Introduction 



The Privacy Act of 1974 (Public Law 93-579) was enacted on December 
31, 1974, and became effective on September 27, 1975. This legislation 
established govemmentwide standards to protect the privacy of per- 
sonal information. Because the government is one of the largest users of 
personal information, the Congress recognized the need to protect the 
ordinary individual from potentially abusive powers of government 
while ensuring that the government would have the information it 
needed to operate its many programs. In 1983, federal agencies reported 
maintaining about 4,700 systems of records that have been estimated to 
contain personal infomation on virtually everyone in the country. 

After oversight hearings conducted in June 1983, the Chairman, Sub- 
committee on Government Information, Justice, and Agriculture, House 
Conunittee on Government Operations, requested that we review agen- 
cies' implementation of the Privacy Act of 1974. The 1983 hearings 
focused on omb's responsibilities under the act for providing guidance 
and oversight to agencies. 



Agencies' 

Responsibilities Under 
the Privacy Act 



The Privacy Act provides safeguards against the misuse of personal 
information by requiring federal agencies to establish rules and proce- 
dures for maintaining and protecting personal data in agency record 
systems. 

A basic premise of the law is that information about individuals should 
not be maintained in secret files, Agencies are required to publish in the 
Federal Register various data relevant to all of their systems of records 
containing information about individuals. A system of records is defined 
by the act as any group of records under the control of an agency from 
which information is retrieved by an individual's name or some identi- 
fying number or symbol or other identifying particular assigned to the 
individual. Information to be published in the Federal Register includes 
a description of the categories of records maintained, the types of 
sources for the information, and purposes of the records. 



Upon request, an agency must permit the subject of a record to gain 
access to and copy the record. An individual disagreeing with the con- 
tents of the record may request it be amended. If the request is denied, 
or not satisfactorily resolved, the individual may appeal the decision to 
a higher level in the agency. Then, if the matter is still unresolved, the 
individual may appeal the matter to a district court and/or place a state- 
ment of disagreement in the record. The agency Is required to distribute 
the statement of disagreement with all subsequent disclosures of the 



H^e 8 (j OAO/OGP-SO-IO? Privacy Act Implcmentiitlon 



ERIC 



Chapter 1 
Introduction 



record and to any person or agency to whom disclosures of the record 
have previously been made. 

Individual records contained in a system of records may not be disclosed 
to others by an agency unless the subject of the record agrees or the 
disclosure is specifically permitted by the act. The act lists 12 categories 
of permissible disclosures, examples of which are: disclosures to agency 
employees who have a need for the record in the performance of their 
duties; disclosures to the Congress, the courts, and the General 
Accounting Office; and disclosures for a routine use. Routine use is 
defined in the act as the use of a record compatible with the purpose for 
which the record was collected. Routine uses must be described in the 
published descriptions of systems in the Federal Register . 

Other provisions of the act require that agencies 

• maintain only personal information that is relevant and necessary to 
accomplish a legal purpose of the agency; 

• collect personal information to the greatest extent practicable directly 
from the subject when the use of the information may result in an 
adverse determination; 

• inform each individual asked to supply personal information of the 
authority for the request, the principal purpose for which the informa- 
tion will be used, any routine uses, the consequences of failing to pro- 
vide the requested information, and whether the disclosure is 
mandatory or voluntary; 

• maintain records with such accuracy, relevance, timeliness, and com- 
pleteness as are reasonably necessary to assure fairness when the infor- 
mation is disseminated; 

• maintain no records describing how any individual exercises rights 
guaranteed by the First Amendment (religion, beliefs, or association) 
unless expressly authorized by statute or unless the records are perti- 
nent to authorized law enforcement activities; 

• establish appropriate administrative, technical, and physical safeguards 
to insure the security and confidentiality of records; 

• sell or rent mailing lists only when specifically authorized by law; and 

• promulgate rules to implement these provisions. 

The act permits systems of records maintained by the Central Intelli- 
gence Agency and agencies involved in law enforcement to be exempted 
from many of its provisions. Other, more limited, exemptions are per- 
mitted for systems of records that contain classified Information, statis- 
tical data, or information from confidential sources. The exemption 



ERIC 



GAO/G<]l>8ft-107 IMvBcy Act IiiipIcint'iiUtion 



Chapter 1 
Introduction 



provisions, however, are not mandatory; they apply to a system of 
records only when specifically invoked by the head of an agency. 

Agencies are subject to civil suit, and government employees may be 
penalized up to $5,000 when damages occur as a result of willful or 
intentional criminal action violating any individual's rights under the 
act. 



The Role of the Office 
of Management and 
Budget 



While each federal agency is primarily responsible for its implementa- 
tion of the Privacy Act, the act makes omb responsible for providing 
overall guidance, regulations, and oversight. The act also requires the 
President to submit an annual report, prepared by OMB, to the House and 
Senate giving a consolidated view of Privacy Act activities of the federal 
agencies, omb's oversight role is also included in the Paperwork Reduc- 
tion Act of 1980. This act provides a framework to aid federal agencies 
in the management of information resources and cites that the privacy 
functions of omb include monitoring compliance with the Privacy Act. 



OMB Guidelines and Other The Privacy Act authorizes omb to issue regulations for agencies to 
Instructions follow; however, omb has chosen to limit its instructions to guidelines 

and circulars, having a somewhat less authoritative effect than regula- 
tions. Examples of omb*s guidelines and circulars follow. 

• In July 1975, omb issued Privacy Act Imp lementation Guidelines — a sec- 
tion-by-section discussion of the act and its requirements with refer- 
ences to the act's legislative history. OMR delegated responsibility for 
issuing additional guidance on specific Privacy Act subjects to other 
agencies. For example, the Secretary of Commerce (National Bureau of 
Standards) was delegated responsibility for issuing standards and guide- 
lines on computer security. 

• Also in July 1975, oMB published Circular No. A-108, Responsibilities for 
the Maintenance of Records About Individuals by Federal Agencies . This 
circular defined agency responsibilities for Implementing the act, 
Including meeting the publication requirements, providing adequate 
safeguards over personal records, and establishing a program for peri- 
odically reviewing policies and practices to assure compliance with the 
act. 

• In March 1979, omb issued Guidelines for the Conduct of Matching Pro- 
grams which Instructed agencies on how to collect, maintain, and dis- 
close personal information when using a computer to identify 



1 [ 

l'«Ko 10 OAO/GOIMJ(H07IMv«cyActlmplcra«nwUon 



ERIC 



Ctupur 1 
Introduction 



individuals whose records appear in more than one set of records. In 
May 1982, omb revised the guidelines. It eliminated some provisions 
such as conducting cost/benefit analyses before conducting a computer 
matching program. It also added provisions such r\s instructing agencies 
to enter into \vritten agreements with other participating agencies out- 
lining how systems of records would be protected in matching programs. 

• In December 1985, OMB issued Circular No. A-130, Management qf Fed> 
eral Information Resources . This circular, a general policy framework 
for information management, superseded Circular No. A-108 and 
replaced it with Appendix I entitled Federal Agency Res ponsibiliti<>s for 
Maintaining Records About Individuals . The appendix restated agency 
responsibilities and specified in greater detail the type and frequency of 
reviews that agencies need to conduct to ensure compliance with the Pri- 
vacy Act. 

• In February 1986, omb announced its intention to comprehensively 
review and update its Privacy Act guidance. It requested suggestions for 
needed changes from Privacy Act experts and practitioners, omb plans 
to publish revised guidelines for public comment in December 1986. 



Oversight Provided by OMB The Privacy Act also assigned omb the responsibility to provide contin- 
uing assistance to and oversight of the act's implementation by the agen- 
cies. In meeting this responsibility, omb (1) reviews agency reports on 
systems of records, computer matching programs, and other activities as 
provided for by the act or omb instructions and (2) prepares the Presl* 
dent's annual report to the House and Senate. 

omb's oversight approach was criticized in 1983 hearings held by the 
House Subcommittee on Government Information, Justice, and Agricul- 
ture.* The Subcommittee's report pointed out that, for example, 
**nothing in the Act indicates that a review of new or altered systems of 
records was intended to be the only type of omb oversight — " The 
report also stated that such efforts are essentially reactive which means 
that **. . . there is no monitoring by omb of agency compliance with provi- 
sions of the law not reflected in the system reports.'* 

The Subcommittee also criticized omb's preparation of the 1980 and 
1081 iuinual reports on agencies* Implementation of the Privacy Act 
The Subcommittee said the two rijports were not lus comprehensive as 



*Tlio Siibommltlov report InclvuN two wp**rnU» vl«*wn by which m)mi? Subcommltti^ m<»mtK?r« 
t'xprcnicd rcliictnna? to crttld/r OMIPn ovcr«lnhl iippnmch Ixh?»U!m? the nct'i* IcHlilrtlivc history wiw 
nol clctir ftji to what wrw i?xtx<tr(l iV^plli^ thrlr reluct ahw, thorn* membem cxprt^avnl i\\<> view that 
OMII could do u mon? ct>mprchciwlvo Job of ovcrncclnit iiKcncy compllttntt. 



pAKtf n ^ , 1 (M<)/G<;t>4)(V107 IVivAcy Act tittp!f!m«nUUon 



ERIC 



12 



Chapa^r 1 
Intro<tuctton 



earlier reports. In 1982, omb recommended that the Congress eliminate 
the Privacy Act annual report requirement and, instead, incorporate it 
into OMB's annual report under the Paperwork Reduction Act. The Con- 
gress rejected this proposal and instead expanded the report's contents. 
OMB's 1982 annual report, consolidated with the 1983 report, was pub- 
lished in December 1985. OMB was working on a consolidated 1984 and 
1985 annual report when we completed our audit work in February 
1986. OMB expected to issue the report in October 1986. 



Objectives, Scope, and 
Methodology 



We were asked to (1) review the organizational structure and effective- 
ness of Privacy Act implementation at major departments and agencies 
and (2) determine how major agencies are organized to permit identifi- 
cation and consideration of non-Privacy Act privacy issues in the ordi- 
nary course of agency business. In an earlier report, we responded to a 
third aspect of the request that pertained to the activity and resources 
devoted to privacy policy matters at the Department of Conunerce's 
National Telecommunications and Information Administration, (gao/ 
GGD-84-93,Aug.3l,1984) 



To address the organizational issues, we conducted work at the 13 Cab- 
inet-level departments and the Veterans Administration. At each of 
these agencies^ we reviewed internal directives, orders, regulations, and 
other documents which establish and describe the organizational struc- 
ture adopted for implementing the Privacy Act. We interviewed agency 
Privacy Act officers and other officials and obtained internal reports 
and other documents which also identified and described the roles and 
responsibilities of those assigned Privacy Act duties. 



We selected for review three activities covered by the act ai\d/or OMB 
guidelines. These activities included (1) creating new systems of records, 
(2) automating systems, and (3) computer matching. On the basis of the 
1983 data available at the time we were planning our work, we selected 
6 of the 14 agencies for more detailed analyses; the Departments of 
Health and Human Services, Interior, Justice, Labor, and Treasury, and 
the Veterans Administration. The six agencies accounted for 73 percent 
of all activity reported by the 14 agencies for the three activities 
selected. We also reviewed how the agencies conducted Privacy Act 
training and evaluated all Privacy Act operations. Although we did not 
review all the activities covered by the act — we excluded for example. 



^For the purpose of this report, we refer to the 13 Cabinet-level denirtinents and the Veterans 
Administration as agencies. 



1 3 

Page 12 ^ ^ GA0/G0D^107 Privacy Act Implementation 



ERIC 



Chapter 1 
Introduction 



the access and amendment provisions — we believe our selection pro- 
vides a range of activities sufficient to demonstrate (1) the roles and 
responsibilities of Privacy Act officers and (2) how effectively agencies 
have implemented provisions of the act and omb guidance. 

At the six agencies we reviewed in detail, we traced the 1983 activities 
pertaining to (1) creating new systems of records, (2) automating sys- 
tems, and (3) computer matching through the procedural steps at the 
agency level as well as in 37 appropriate components. At each organiza- 
tional level we reviewed internal documents and files and interviewed 
Privacy Act officers. In addition, we interviewed program personnel and 
staff from the offices of General Counsel, Inspector General, Personnel, 
Security, and others. 

The request also asked how agencies identify and consider privacy 
issues not covered by the act. In consultation with the Subcommittee 
office, we limited our work on this question to interviews of agency Pri- 
vacy Act officers at the 14 agencies. These privacy issues can be raised 
in a variety of contexts and are not necessarily related to systems of 
records issues which the Privacy Act covers. 

We examined omb*s guidance to agencies, which included Circular Nos. 
A-I08 and A-I30, Privacy Act Implementation Guidelines , the 1979 
Guidelines for the Conduct of Matching Programs , and the 1982 Guid- 
ance for Conducting Comp uter Matching Prog rams. We also reviewed 
1983 hearings held by the House Subcommittee on Government Informa- 
tion, Justice, and Agriculture on omb*s oversight of the Privacy Act of 
1974. We interviewed the omb senior policy analyst who is the primary 
focal point for omb's Privacy Act responsibilities to supplement this 
information. 

We conducted our review from January 1985 to February 1986 in accor- 
dance with generally accepted government auditing standards. At the 
direction of the requester's office, we obtained comments on this report 
only from omb. 



Page 13 



14 

GAO/GGD-86-107 Privacy Act Implementation 



Chapter 2 



Agencies Need tio Better Define Privacy 
Act Responsibilities 



The Privacy Act makes agency heads responsible for implementing and 
complying with its requirements. Because records are dispersed virtu- 
ally throughout all agency components, agencies have adopted highly 
decentralized approaches to implementing the law. Decentralization 
makes it especially important that agency heads clearly assign responsi- 
bilities; however, the agencies varied in the degree to which they accom- 
plished this. Clear lines of responsibility and accountability were not 
always established for Privacy Act functions. 

Agencies have established a Privacy Act officer position to help coordi- 
nate Privacy Act matters — a critical position in a decentralized organi- 
zation. However, some important functions such as ensuring compliance 
with Privacy Act provisions and omb guidance had not been assigned to 
the Privacy Act officer. Even if such responsibilities were assigned, it is 
doubtful that the Privacy Act officers could carry them out effectively 
given the resources made available to them. Generally, these individuals 
(1) were mid-level employees, (2) had little or no Privacy Act staff to 
assist them, and (3) worked on Privacy Act activities on a part-time 
basis. 

Agencies may engage in activities that have privacy implications outside 
the context of the Privacy Act. Most Privacy Act officers said that their 
agencies did not have a focal point or central mechanism to identify and 
address such issues, although such issues may be addressed by various 
organizational units as they arise. 



Federal agencies maintain several thousand systems of records con- 
taining personal information on individuals. These records are used to 
administer federal programs and, as such, are maintained and operated 
by program staff in the many bureaus and offices at headquarters and 
in the field. Because the Privacy Act applies to each system of records 
regardless of location. Privacy Act functions are likewise widely dis- 
persed and decentralized. 

To illustrate, consider the structure of several agencies. The Department 
of Health and Human Services (hhs) reported that, as of 1983, it main- 
tained 408 systems of records in its various components such as the 
Public Health Service, the Social Security Administration (SSA), and the 
Health Care Financing Administration. Within each component, systems 
of records were further decentralized. For example, the Public Health 
Service had 226 systems of records which were maintained by its var- 
ious components such as the National Institutes of Health and the Food 



Privacy Act 
Responsibilities Are 
Highly Dispersed 
Throughout the 
Agencies 



1 ^ 

Q Page 14 ^ CAO/GOIXS6-107 Privacy Act Implementation 



ERIC 



Clifiptor 2 

AHeixcicH NetMl (o l^tu^r Dt'diie Privacy 
Act UcHi><)iiNtbtlltleh 



and Drug Administration. The National Institutes of Health's 87 systems 
of records were further distributed among its 18 major components. 
Other agencies are similarly decentralized. The Veterans Administration 
(VA) and Justice, for example, reported for 1983 that they maintained 57 
and 232 systems of records, respectively. These systems were dispersed 
throughout their many components and field offices. The Veterans 
Administration had, in addition to headquarters' divisions, several hun- 
dred facilities that had and used Privacy Act systems of records. 

Just as agencies' systems of records are dispersed, so too are Privacy 
Act responsibilities. In addition to handling requests by individuals for 
access to their own records. Privacy Act responsibilities include other 
functions such as creating and modifying systems, ensuring that sys- 
tems of records are adequately safeguarded, and participating in com- 
puter matching activities. Each function can involve people from 
different org? 'national components and organizational levels. For 
example, the for creating anew system of records normally 
originates at the program level, where the records will be maintained 
and used. Data processing people may be involved in automating the 
system, and security personnel may assist in developing appropriate 
safeguards. The General Counsel offices at both components and head- 
quarters levels review notices and reports of new systems for legal 
sufficiency. 



Tbe Privacy Act and omb publications do not provide detailed guidance 
on now agencies are to implement their Privacy Act responsibilities. 
Given the highly dispersed nature of Privacy Act functions, we 
examined how the 14 agencies conununicated policies and assigned Pri- 
vacy Act responsibilities throughout their organizations. We found that 
(1) three agencies had not issued comprehensive directives to assign 
responsibilities, (2) nine agencies issued directives but di 1 not assign 
responsibilities consistent with the Privacy Act officers' position 
descriptions, and (3) eight agencies' directives did not address one or 
more significant responsibilities. In our opinion, improvements are nec- 
essary to assign responsibilities as well as to establish accountability for 
adhering to Privacy Act requirements. 

Agencies have prepared Privacy Act regulations and, in some cases, 
directives. Agency regulations, published in the Code of Federal Regula- 
tions, generally serve to notify the public of procedures they may use to 
seek access to records. Directives, on the other hand, are internal docu- 
ments aimed at setting the basic framework for Privacy Act operations. 



Improved Directives 
Are Needed to 
Communicate Privacy 
Act Responsibilities 



EKLC 



Page 15 



^ ^ GAO/GGDW107 Privacy Act Implementation 

lb 



AH^^iuicN Nocd lo Better IH^Hiio IVlvin'y 

Act UcHlHMIHlbllU tCN 



\gency directives serve to communicate assignments of responsibility as 
well as establish accountability. 

We analyzed the directives and Privacy Act officer position descriptions 
of the agencies to determine how they assigned responsibility for seven 
Privacy Act functions. As described in omb Circular No. A-108 (now Cir- 
cular No. A-130's app. I) these responsibilities include (1) allowing indi- 
viduals access to their records, (2) establishing safeguards to prevent 
unauthorized disclosures, (3) establishing a program to periodically 
review recordkeeping policies and practices, (4) conducting training for 
individuals involved in maintaining systems of records, (5) publishing 
notices of systems of records, and (6) establishing and maintaining Pri- 
vacy Act related procedures and directives. The seventh function is to 
report on and monitor agency participation in computer matching pro- 
grams. Although not included in OMB*s Circular No. A-108, this function 
was described in omb's 1979 and 1982 computer matching guidelines and 
was incorporated into Circular No. A-130. 

Three of the 14 agencies — Agriculture, Justice, and va — have not issued 
comprehensive directives on Privacy Act implementation. We talked to 
officials at each agency to determine how agency policy is communi- 
cated and Privacy Act responsibilities assigned. Agriculture's Privacy 
Act officer said he holds periodic meetings with Privacy Act officers in 
components to discuss Privacy Act matters. He said that a depart- 
mentwide directive would be beneficial and plans to develop one. Jus- 
tice's Assistant Director for General Services, the office that reviews 
system notices, said that each Justice component has a Privacy Act con- 
tact who works with the Justice person responsible for reviewing 
system notices. In addition, Justice annually reminds managers to report 
systems of records in accordance with omb guidance and has developed 
an order on the Privacy Act security regulations for systems of records. 
A member of va*s Privacy Act staff said that while va does not have a 
comprehensive Privacy Act directive, some responsibilities are assigned 
in various va documents. For example, va had assigned responsibility for 
preparing reports of new systems in their policy manual to systems 
managers. However, both he and the va Privacy Act officer said that a 
comprehensive Privacy Act directive is needed. 

Of the 11 agencies with directives, 8 have not assigned either one or 
more Privacy Act functions in either a directive or the Privacy Act 
officers* position descriptions. For example, none of the eight assigned 
responsibility for monitoring computer matching programs from a Pri- 
vacy Act standpoint. Two of the agencies — Commerce and hhs — have 



Page 16 



17 



GAO/G<iD-'j6-107 Privacy Act Implementation 



ERIC 



CImptor 2 

AH<^ncloH N(mmI to lUMU^r IVfliu^ IMviicy 



not assigned responsibility for Privacy Act related training. Two of the 
agencies — Eciucation and Labor — have not assigned responsibility for 
evaluating Privacy Act implementation. Two of the agencies — iins and 
iiUD — have not assigned responsibility for developing and updating 
agency Privacy Act directives. Defense, Energy, and Interior were the 
only agencies which had assigned all of the seven Privacy Act functions 
in either their directive or the position description of the agency Privacy 
Act officer. 

Nine of 1 1 agencies' directives did not accurately describe the roles and 
responsibilities of Privacy Act officers. For example, five agencies' 
directives did not show the Privacy Act officers' responsibility for eval- 
uating implementation of the Privacy Act. Similarly, three directives did 
not show that the Privacy Act officer was responsible for training, and 
eight directives did not show the Privacy Act officers' responsibility for 
preparing and updating agency directives. 

In our opinion, functions included in Privacy Act officers' position 
descriptions should be reflected in agency directives. While position 
descriptions describe the Privacy Act officers' responsibilities, they do 
not serve the same purposes as directives. Directives establish agency 
policy and procedures, identify the organizational location of Privacy 
Act responsibilities, and serve to inform all agency personnel as to 
appropriate offices or officials to contact when questions arise. 

Complete agency directives would also benefit components. Of 37 
selected components at six agencies where we conducted detailed anal- 
yses, 18 did not have their own directives and, consequently, relied on 
agency directives to communicate responsibilities. Of the 19 components 
that had directives, 17 did not address computer matching, 14 did not 
address evaluations, and 10 did not address training. 



EKLC 



Page 17 



18 

GAO/GCrD^l07 Privacy Act ImplemenUtion 



AhoucU'm NtMMl to Bettor Ih'HiH* IVIvafy 

ActUVH|M)tlNlMlltU*H 



Role of Departmental 
Privacy Act Officer 
Needs to Be 
Reexamined 



Each agency In our review except Justice and Labor' had established a 
position of agency Privacy Act officer to coordinate and oversee Privacy 
Act implementation. Our analysis of the position descriptions, activities, 
and resources allocated, however, indicate that these offici«als may not 
be providing oversight to the degree needed. 

A Privacy Protection Study Commission was created by the Privacy Act 
of 1974 to investigate the personal data recordkeeping practices of gov- 
ernmental and private organizations. The commission concluded that a 
critical element to successfully implementing the Privacy Act was the 
designation of a single official with authority to oversee the implemen- 
tation of the act. Following the commission's 1977 report to the Presi- 
dent, a Cabinet-level coordinating committee was established to analyze 
commission findings. The coordinating committee agreed with the com- 
mission that it was desirable for agencies to have a single person respon- 
sible for overseeing Privacy Act implementation and cited four 
advantages: (1) increasing the visibility and awareness of Privacy Act 
responsibilities; (2) facilitating communication on Privacy Act matters; 
(3) enhancing consistent policy implementation; and (4) assisting in 
training and effective implementation of the act. The committee's effort 
became the Presidential Privacy Initiative. 

As a result of the Presidential Privacy Initiative, OMB sent a memo to all 
agency heads in 1979 suggesting they designate an official with over- 
sight responsibility for Privacy Act implementation. Each of the agen- 
cies has designated such an official and has delegated day-to-day 
responsibilities to a Privacy Act officer. 

We reviewed the roles and responsibilities of Privacy Act officers and 
found that these individuals were not always assigned key functions. 
Table 2.1 summarizes the number of agencies that assigned seven 
selected responsibilities to Privacy Act officers in agency directives or 
position descriptions. 

Justice has not designated a Privacy Act officer but has assigned departmentwide responsibilities 
for reviewing system notices and preparing OMB's annual report submission. For purposes of this 
report we considered this individual to be the agency Privacy Act officer. Although I>abor has not 
designated a Privacy Act officer, its directive assigns overall Privacy Act implementation responsibil- 
ities to the Solicitor and we have considered this individual to be the Privacy Act officer. As of May 
3, 1986, this position was vacant. 



19 



Page 18 GAO/GGIV86-1 07 Privacy Act Implementation 



ERIC 



Ah«^»<*I<'»* NimmI to lUittt^r IVftiui rrtvuoy 
Act Urri|H)nHlbtUtlcM 



T0bl0 2.1: Functions Asslgnod to 
Privocy Act Officers by 14 Agenclos 




Not 

Assigned to Asslgnsd to 
Privacy Act Privacy Act 
officers offices 



Training 



Computer Matching 



1 13 



Complianco evaluations 



Safeguards 
Systems Notices 



7 7 

2 12 



Access 



Directives 



V2 2 

4 10 



The table shows that significant functions were not assigned to agency 
Privacy Act officers. For example, although computer n\atching is one of 
the more controversial activities having Privacy Act considerations, 13 
of the 14 agencies had not specifically assigned any role to the Privacy 
Act officer. Because Privacy Act activities are dispersed and conducted 
throughout agencies and their many components, we believe the Privacy 
Act officers should liave some coordinatmg role in each of these critical 
functions. As discussed in the following chapter, our detailed review of 
selected Privacy Act functions at six agencies showed that Privacy Act 
officers were not always actively involved in all of these areas and Pri- 
vacy Act and omb guidance was not always followed. 

Even if the roles and responsibilities assigned to Privacy Act officers 
were expanded, it is doubtful whether under current circumstances they 
would be able to meet them given the resources provided to them. Table 
2.2 lists the resources and locations of agency Privacy Act officers and 
their staffs as of May 1986. 



20 



Page 19 



GAO/G<jD^107 Privacy Act Implementation 



ERIC 



Art Hi*NiH)nHlhlliti«>ri 



mmmmmmmmmmmmmmmmmmmmmmmmmmmm 

Tablo 2.2; Location and Rosourcos of Agoncy Privacy Act Oftlcora and Staff 



Acioncv 


Sonlor official 


Immodliito oflica 


Orado of 
Privacy Act 


Eatlmatod 
staff yoaro 

(Offlcor/ 


Agriculture 


Assistant Secretary, Office of 

ttovnrnmnntal nnri Piihlir Afffiirn 


Special Programs Division 


1? 




Commorce 


Assistant Socrelarv for Adminislralion 


Informntion Mnnnnnmnnt ni\/i<;inn 




osy 4nM^ 


Dfifenso 


Assistant Secretary of Dofonso 
(Comptroller) 


npfpn«in Pri\/fic\/ HnarH 


SES 


.90/1,80(2) 


Education 


Deputy Under Secretary for Planning, 
Budget and Evaluation 


News and Information Division 


12 


.20/,60(1) 


Energy 


Assistant Secretary for Management and 
Administration 


Freedom of Information and Privacy Acts 
Branch 


14 


.40/.30(4) 


Health and Human 
Services 


Assistant Secretary for Public Affairs 


Freedom of Information/ Privacy Division 


14 


1/60(2) 


Housing and Urban 
Development 


Assistant Secretary for Administration 


Information Policies and fvlanagement 
Division 


14 


.50/0 


Interior 


Assistant Secretary for Policy, Budget, 
and Administration 


Division of Directives and Regulatory 
Management 


14 


.30/0 


Justice 


Assistant Attorney General for 
Administration 


Mail, Fleet, and Records Management 
Services 


12 


1/0 


Labor^ 


Solicitor 


Solicitor 




-/•55(6) 


State 


Assistant Secretary for Administration 


Information Access and Services Division 


15 


.25/4.85(12) 


Transportation 


Assistant Secretary for Administration 


Information Requirements Division 


14 


.05/0 


Treasury 


Assistant Secretary for Management 


Disclosure Branch 


13 


.33/.97(1) 


Veterans 
Administration 


Associate Deputy Administrator for 
fylanagement 


Paperwork Management and Regulations 
Service 


15 


.03/.47(3) 



*The number in parentheses designates the number of staff available to assist the Privacy Act officers. 

^Grade of the Solicitor and estimated time devoted to Privacy Act matters were not available due to the 
position s vacancy. 



Except for dod and Labor, Privacy Act officers were mid-level managers 
whose grade levels ranged from GS-12 to GS45, They were often two 
layers removed from the senior agency official who directed the organi- 
zation to which they were assigned. Generally, the senior official was an 
Assistant Secretary with many responsibilities other than Privacy Act 
implementation. 

Privacy Act officers also had limited resources to perform their Privacy 
Act duties. By their own estimates, 10 of the 14 Privacy Act officers 
spent less than half their time on privacy matters; two were full time. 
Five had no staff. Nine had staff but for seven of these officers, their 
staffs spent less than one full staff year on Privacy Act matters. 



21 

Page 20 GAO/GGI>86-107 Privacy Act Implementation 



ERIC 



Ageiirlt^ii Ni^hI to \MWT iwrlutt IVIvtti'V 



Kxcepl ror mis and Justlro, ull Privacy Act ofriwrs Iwul ot Ikm* dut Irs that 
comptitctl for thulr llino and ivsouroes. NlntJof the 14 Privacy Aca 
officers wore respunnlble for some u.spect of the aK^^ncy's hTU>U*n\oniu- 
tlon of the Freedom of Information Act. For exuinplo, KncM gy'H Privacy 
Act officer wiui Chief of the Freedom of Information/Privacy Act 
Branch; he spent about 40 percent of his time on Privacy Act issues. 
Others, such as the va Privacy Act officer, who spent 3 peitviil of his 
time on the Privacy Act, was the agency's focal point for records man> 
agcmcnt, forms management, mail management, and travel manage- 
ment. Transportation's Privacy Act officer's primary responsibility was 
implementing the Paperwork Reduction Act which he estimated took 00 
percent of his time. 

Agency component and other organizational units may also designate 
individuals to coordinate and/or oversee Privacy Act activities. Each of 
the 37 components of the six agencies reviewed in detail identified such 
an individual. Our analysis showed that, like agency Privacy Act 
officers, these individuals generally held mid-level management posi- 
tions and worked on Privacy Act matters on a part-time basis. Because 
the individuals held different positions and titles, we have referred to 
them as component Privacy Act officers. A table summarizing this anal- 
ysis is in appendix II. 

Like their counterparts at the agency level, component Privacy Act 
officers were generally mid-level managers at grades GS-12 to GS-15. 
However, their grade levels ranged from a GS-8 secretary at Interior's 
Aircraft Services to Senior Executive Service positions at six 
components. 

Of the 37 component Privacy Act officers, 22 spent 10 percent or less of 
their time on Privacy Act functions. Only at the Health Care Financing 
Administration in HHS was the Privacy Act officer a full-time position. 
Although 29 of the 37 Privacy Act officers had additional staff 
resources, in 28 components the staff spent less than 1 full staff year on 
Privacy Act matters. These estimates do not include other component 
employees who may become involved in Privacy Act matters such as 
handling access and disclosure requests. 

As the staff years suggest, all component Privacy Act officers, except 
the Health Care Financing Administration, had other duties. For 
example, the Bureau of Mines' Privacy Act officer was responsible for 
personal property management, space management, motor vehicle man- 
agement, and energy conservation. Treasury's Bureau of the Public 



Page 21 



GAO/GGDW-IO? Privacy Act Implementation 



A|{ttiU'lt^ii N«^t^4i III lit^Ui^r twriiitf 



DohVn Privui'y Acl oH uht sorvoil u.s an inlvisor lor i\\o 1\\\iv\\\\*h nuirket* 
al)l<» NorurHics programs, Also, \l\o\v w^s^awy countorp ts, HI Vv\- 
viu-y Act oifirrrs had some ivsiHinsll)ll|ty fur IrupIcnu^ntlnK tlu* Frmlom 
oriMfornuilioii Art. 



AKtMu i(»s nuiy (Mijjuko in activities lluit have privacy ImpllcatlonH outside 
the context of the Privacy Act of 1974. For example, taping of convertiu^ 
tlons, workplace monitoring, polygraphs, fraud hotlines, and computer 
I)rofilinf{ may luivo |K»rsonal privacy hnplicutlons but because they may 
not Involve Privacy Act systems of records, would not be subject to the 
act. 

Wo lusked agency Privacy Act officcrH wl\ether there was a focal point 
or central mechanism to identify and deal with non-Privacy Act privacy 
issues raised by tliese activities. We were interested in detennlnlng 
whether attention was being given to such things iis 

• assessing the impact of the activities on personal privacy, 

• determining whether activities with privacy implications should be 
undertaken, 

• determining who should be involved in the activities (personnel/compo- 
nent), and 

• providing appropriate controls for management oversight. 

The Privacy Act officers at 10 of the agencies told us there was no cen- 
tral focal point to address privacy issues not covered by the act. Four of 
the 10 Privacy Act officers said they could be minimally involved in 
such issues but only when asked. Five said they were not involved at all 
with these issues, dod's Privacy Act officer said that, while he did not 
consider his office to be a central focal point, his office would become 
involved in most of the privacy-related concerns dealing with such 
issues. 

The remaining four Privacy Act officers believed there was a focal 
point. The State and Labor Privacy Act officers said they acted as the 
focal point. In addition, the Privacy Act officer at Energy believed that a 
focal point existed in Energy's defense programs area. The Privacy Act 
officer at Transportation said that the Office of Security would serve as 
a focal point. 

We asked the Privacy Act officers for their views or\ the desirability of 
having a central focal point to address privacy issues not covered by the 



Privacy Issues Not 
Covered by the Act 



Page 22 GAO/GOD^IO? Privacy Act Implemenudon 




23 



('li(i)iivr '4 

Atlc^iitiii* Neetl l»» HeCl^i |K due > 



act. St'vcii ht'licvnt Jimt a looiil poiiU t<» addivsM rtoiiu' or all «»r tho issut'H 
would l»' lu'ruM'iriitl, while t wo «'Xpr«>riH(>(| (huibt.s about Uhium'jI or |)riu> 
licallty, The lomainliiK flv»' I'rlvai'y Act onitvis did iu)l t'xpr«'ss an 
opinion, 

TIk' llinltod involvonu'Mt of IViviicy Act ollUvirt and tht' abstMUH' ol' a 
(H'ntrall/.c«| ineclumisiu to Ideatily uad udtlress actlvltlcH luivlnf? privacy 
liuplicalions not .subject to thi' Privacy Act diH\s not iniply that thoso 
privacy issues are not addressed, Such activities may occur virtually 
unywhuro within an orKunizution and may be addressed as they arise. 
However, in our opinion, it mlRht bo worthwhile for agencies to take 
steps to channel information conceraing such activities to the Privacy 
Act officer or other centrally located official. This individual would be 
in a position through dally contacts on privacy matters to share infor- 
nuition throughout the orgm\izatloi\ jmd thereby heighten avvareaess of 
privacy implicatioas. 



ERIC 



Page 23 



GAO/GGD^107 Privacy Act Implementation 



(*hi»i»ttM; U 

Experiences of Six Agencies Sliow 
Improvements Are Needed 



VViM'MinuiHul in iW\AU how hik uf;*Miriivs~iiiis, Init^hor, Jiistico, Labor, 
Tmtsury, luuj w^ro rom|>lyln>5 w wU McvWil j)rovlhions of thf IVi- 
vury Art and im\ Huidollnrs iHMtaiiunf? tu ( I ) u.ssuriiiK mltu|iutto safV^ 
Huiirdsof newly crvutrd and nunJifUal sysu^ni?* ol nHnnls, i2) 
auinnuuln^ systtMOs of rmirds, (D) tHiiuiuiUr niatchlnt?, (4) Privacy Ad 
iralninK. mul(5) Intfrnul tA'aUtailons. \\V toiuul tUui tlu^ a^!<MU'l<vH noeil 
to nuiki» linpnivrnuMUH la each an*a. 

• Wliilt^ OMHf*n|{«oHl,s that uKoncitvs should roaducl detailed risk assesH- 
auiUH for newly created or nuHlificd systtws of records to lussure their 
security and confidentiality, the agencies were able to provide evidence 
of snch an assessment for only 1 of the 27 nystems of records that were 
established or modified in 1083. Agency Privacy Act of ficern told us 
they rely on comi><)nent organizations to conduct the risl iissessmenls; 
however, comi>^)ncnt officials said this function was not always 
l>crformcd. 

• Systems of records that become autonuited are considered to be new sys- 
toiWH subject to the omu guidelines if the automation results in greater 
access to the records. None of the throe agencies that automated sys- 
tems during the period of our review followed omb's guidelines. 

• Agencies have not reported accurate data to OMU on the extent of their 
computer matching programs. Two orgimizations considered their 
matching programs to be exempted from omu guidelines, although OMn\^ 
concurrence was not sought. Our analysis of 20 computer matching pro- 
grams showed that 6 did not follow OMii guidance. 

• The training needs of individuals involved with Privacy Act activities 
were not assessed or provided in a systematic manner Privacy Act offi- 
cials at four components told us they do not provide Privacy Act 
training. In the remaining 33 components, Privacy Act officers said 
some training is received although not all Privacy Act officers main- 
tained data on who attended. 

• Agencies do not routinely conduct internal evaluations of Privacy Act 
operations which would provide senior agency officials with feedback 
on the effectiveness of the operations or on areas needing improvement. 



EKLC 



25 

GAO/GGim-107 Privacy Act ImplemenUtioii 



uK^*nrii*i u* publish noiUvn in Uu* R^di-ial l(i*telt*r H^Uiu! <^ iuiuUhm of 

|U*\V hyrittMUrt, U\ ptiH'itlt* iUlrqllUtt* ^dviUUV lUUhf U) the ulul 

t)Mh of m\y projK)Hul lo osiuUlish i\ lunv hyf»it*io of m ofds or, \\\uU r cvr^ 
lain comliiionH, i\\wv m\ hyhu*m 

Sitf<*f?uur<linK |H*rw»ual informuiiun in viiul lo cufuiUyinf? HUh iiu* I'ti^ 
Viu y Art< Thr m l minirrn uKt*fu its to t'sniblinh upprojuiciu- ailuuiuniru' 

confidoniiality of rocortb. To uicoinplbh iIuh, (ysm'n i^miUwxcv t ulh for u 
brief dmTlptlon of ih*> HCops tukvn to iniiunn/e tiio risk of uiuuiUuiri/«Ht 
acccfis to the riyntem to In* Indodiul in ilu» ag^^ney*?* mibiiu^Hion ui iIk^ 
lime the HyHteii\ is e:itabli.Hhed or revised, In iiddilion. omh'h Mttidantv tti 
aftrneieHcullH for a more i|e(ail*Hl ».tsen^ituMU of the rM**ks and Hi»tn-if|r 
administrative, technical. prtKi'doral. and ^d^y^itul snfegMard^ vsUih- 
Ibhed to Ik* available on retjiKSt. 

During? I08;j. the nepartment.Hof nns, huerlor, Justice, Treasury. an<l 
the VA published noticen and prepared rejHjrt.Hon 27 new or revlsnl fiys- 
teius of records. The Department of I.atH)r did nt^t luive itevv or revisiHl 
systems In 1083. The Privacy Act officers at the five agencies siiid tlu*y 
revle\ve<l draft notices and re|)ori.s to anHoro tl\at n^quiriHl data element.s 
were inr^hidcd and proixrrly stated. Hut they said they did not monitor 
compliance with the requirement that dotuiled aisseHsmenis of the risks 
jmd safeguards cstabllslied be c^ndticte<i and available on re<jue?it. Con- 
sequently, they had no avaihiblc Information on the extent to which 
their agencies followed theOMii guidance. 

For each of the 27 new or revised systems, we requested a copy of tlie 
detailed risk asiicssment. Of the five agencies, nns was able to pmvide a 
risk assessment for one of ius systems. 

• The VA Privacy Act officer said that components are responsible for ct)n- 
ducting detailed risk assessments. A member of the Privacy Act of fla*r*s 
staff in the component responsible for the one new system instituted in 
19S3 said he did not know if a detailed risk assessment was conducted. 
Eiecause of our inquiry, the staff member contacted a program official 
and was assured that the potential risks and necessary safeguards were 
addressed at the time the system was proposed. 

• Treasury's Privacy Act officer said she did not have copies of risk 
assessments for the one new system and two revised systems instituted 
in 1983. The components responsible for the systems were unable to 



DetaihHl Risk 
AssessmenUs Woro Not 
Conducted or Were Not 
Available for New and 
Revised Systeu\s of 
Records 




Page 25 GAO/GGIWKn Priv»ry Act IwiaeinrtiUtioo 



Chapu»r3 

Experiences of Six Agencies Show 
ImpruvementB Are Needcrt 



provide any risk assessments. The Privacy Act officer said she had 
reviewed system specifications for other systems in the past when her 
review of their proposed notices or reports raised questions. 

• Interior's Privacy Act officer said that the bureaus are required to per- 
form risk assessments. However, when we asked the compor.ents for 
copies of the risk assessments for the three new and revised systems for 
1983, one component responsible for two systems responded that risk 
assessments were not conducted. Another component responsible for the 
third system of records said that, as far as it could determine, no formal 
risk analysis had been performed. In addition, this component said that 
its impression is that the requirement has generally been ignored. 

• Justice instituted 10 new or revised systems in 1983. Justice's official 
responsible for reviewing system notices said that she did not ask for 
copies of detailed risk assessments because she believed it was not her 
responsibility. Our follow-up work at the appropriate Justice compo- 
nents revealed that risk assessments were not available. Justice officials 
said they believed that the risks of unauthorized access were consid- 
ered, although the review process was not put in writing. They also said 
that in 1985 Justice awarded a contract to study security needs at its 
two data centers. 

• One of the five hhs components we v ited (the Office of General 
Counsel) had performed a risk assessment; t^ * remaining four compo- 
nents of HHS did not perform risk assessments for nine new and revised 
systems instituted in 1983. The Chief of the ssA Privacy Branch said he 
did not reouest risk assessments because he was relying on the 
originating componer" ^o contact appropriate system security personnel 
as called for in the ssA directive. The Public Health Service's Privacy Act 
officer said she never asked for detailed risk assessments during her 
review of notices and reports but she had assumed they were done. 
According to th* official, she included a question dealing with risk 
assessments in an internal control review and found that risk assess- 
ments were not being done. The person who was the Health Care 
Financing Administration's Privacy Act officer during 1983 said she 
was not familiar with the term risk assessment except in reference to 
coir uter security and did not remember risk assessments being 
included in hhs* checklist for creating new systems of records. Although 
the checklist point^ -^ut that the measures taken to minimize the risk of 
una prized access to the system should be described in systems 
reports, it does no< iate a requirement for detailed risk assessments. An 
official from the Office of Inspector General said she was not certain 
whether a risk assessment was conducted. She suggested that it may 
have been done, but not incorporated into a single document and 



Page 26 G\O/GGD-86-107 Privacy Act Implementation 

er|c 



Chapters 

Experiences of Six Agencies Show 
Improvements Axe Needed 



retained. She said the subject system of records was temporary and was 
deleted after approximately 6 months. 

Several agency officials raised the question of whether risk assessments 
need to be kept on file in the years after the system of records was cre- 
ated and whether the assessment needs to be incorporated into a single 
document. OMB*s December 1985 Circular No. A-130, Management of 
Federal Information R esource^, shows that it would be beneficial for 
agencies to keep risk assessments on file regardless of whether they are 
incorporated into a single document. 

Appendix III to the circular, **Security of Federal Automated Informa- 
tion Systems," establishes controls to be included in federal automated 
systems security programs where sensitive records, including Privacy 
Act records, are used. In part, this appendix is in response to prior gao 
work on the implementation of the Federal Managers Financial Integrity 
Act which reported that (1) agencies have identified material weak- 
nesses in automated data processing, including system security, and (2) 
agencies could better evaluate automatic data processing controls with 
additional OMB guidance. The appendix, among other things, instructs 
agencies to c^niiuct periodic reviews of sensitive applications and to 
recertify security safeguards at least every 3 years. It states that the 
reviews should be considered part of the agencies* internal control 
reviews pursuant to the Financial Integrity Act. In our opinion, fulfill- 
ment of these instructions would be facilitated if agencies fully docu- 
ment risk assessments on their Privacy Act systems of records and keep 
them on file. 

We discussed this with omb. omb*s senior policy analyst for Privacy Act 
matters said he would consider amending Circular No. A-130 to instruct 
agencies, in submitting their reports on new or altered systems of 
records, to include information on where the formal risk assessment is 
located so that omb could obtain a copy, if necessary. 



OMB*s guidance on automation of systems of records states that when 
such a change creates "the potential for either greater or easier access'' 
agencies need to prepare a new system report and a revised system 
notice. At the same time and as part of the process, agencies are to con- 
duct a detailed assessment of risks and safeguards. Three of the six 
agencies reported automating systems during 1983. We discussed how 
the OMB guidance was applied with Privacy Act officials at each of the 
three agencies. 



Agency Automation of 
Systems of Records 



EKLC 



Page 27 



GAO/GGM6-107 Privacy Act Implementation 



Chapter 3 

Experiences of Six Agencies Show 
Iiuprovcmcnts Are Needed 



• Interior reported that 44 systems of records were automated during 
1983. According to the agency Privacy Act officer, the bureaus are 
responsible for adhering to omb's guidelines. We discussed the system 
automations at two bureaus which accounted for 23 of the systems. The 
privacy coordinator at one bureau which automated 11 systems said 
bureau personnel did not review the 1983 automations until 1984 and 
1985. At that Cnv* they concluded that the automations did not meet 
OMB*s criteria v>. ^renting greater or easier access because they did not 
increase the nnmboi of personnel who had access to the records. 
According to this official, the automations entailed upgrading equip- 
ment, and only those who had access to the earlier systems continued to 
have access. The privacy coordinator at the second bureau, which auto- 
mated 12 systems, said he did not know if the question of whether omb*s 
guidance was applicable to the automation actions had been addressed. 
Our analysis of the system notices for these 12 systems showed that 
they were updated in 1983 to reflect some changes, but the sections 
related to automation were unchanged from their last republication in 
1977. One system was still described as a manual system. 

• Justice automated five systems of records during 1983 and prepared 
reports on new systems and revised system notices for each. Because of 
personnel changes, we were able to talk to personnel knowledgeable 
about only three of the systems. The Privacy Act coordinator of the 
component responsible for two of the automations said that he assumed 
that all automations should result in a report and new system notice. A 
staff member in another component responsible for a third automation 
believed the automation met omb*s greater access criteria because infor- 
mation would be input at remote terminals. Although both said that 
OMB's publication guidance was followed, neither individual believed 
that risk assessments were conducted. One of the individuals told us she 
was unaware that the fesessments were needed. The second individual 
recalled that his predecessor discussed Justice's security requirements 
with the system manager but did not discuss omb's risk assessment 
provision. 

• Labor automated two systems. According to the Privacy Act staff, the 
responsibility for determining whether a new system report and revised 
notice are necessary rests with components. Officials at the component 
involved were unaware of omb's guidance on automated systems and 
acknowledged that the system notices published in the Federal Register 
st:il categorize the two systems as being manual. These officials and a 
staff mem.ber of the Labor Privacy Act officer said they would review 
OMB's instructions and issue the necessary publications for these 
systems. 



Page 28 



29 



GAO/GGD^6-107 Privacy Act Implementation 



Cltfipt«r3 

Expcrlencefl or Six AkcucIch Slmw 
Imimivenientfl Are Nee<U»(l 



In its December 1985 publication of the President's Annual Report on 
the Agencies' Implementation of the Privac y Act of 1974 ior calendar 
years 1982 and 1983, omb identified the effects of automation as an area 
of concern for future study, omb observed that 80 percent of all systems 
were manual when the Privacy Act was drafted and that there has been 
a continuing trend towards automation, including an estimated 500,000 
microcomputers in use by 1990. 

If OMB conducts an automation study, we believe it should include how 
agencies implement its guidance pertaining to automated systems. On 
December 12, 1985, omb changed its criteria on the automation of 
existing systems from those that create **the potential for either greater 
or easier access" to those that create **substantially greater access 
In our opinion, both of these descriptions lack specificity and may be 
subject to wide interpretations. This is particularly true in view of the 
fact that decisions may be made by many different personnel who are 
responsible for Privacy Act systems of records. 



Improvements Can Be 
Made in Overseeing 
Computer Matching 



Computer matching — the comparison of two or more sets of computer- 
ized systems of records to identify individuals who are included in more 
than one — is an activity that raises privacy concerns. To provide guid- 
ance and oversight of agency matching programs, omb issued detailed 
matching guidelines in 1979 and revised them in 1982. 

Each of the six agencies in our detailed review participated in computer 
matching programs in 1983. We found that the number of programs 
agencies reported to omb understated the actual amount of reportable 
matching activity. Several of the agencies used varying criteria in 
reporting their matching programs to omb, and others' recordkeeping 
practices were poor. In some cases, agency Privacy Act officers believed 
that more specific routine uses were needed for releasing information; 
however, the information was released before the disclosures came to 
their attention. Also, one agency disclosed information for a matching 
program without a written agreement on how the information would be 
used and conducted two programs without publishing notices in the Fed- 
eral Register . 



Computer Matching and conducting a matching program, two computer files are run against 

OMB's Guidelines ^^^^ ^^^^^ ^^^^ ^ software package that instructs the computer to 

search for certain personally identifiable variables, for example, iden- 
tical social security numbers, names, or addresses. When the program 



^ Page 29 GAO/GGD-8C.107 Privacy Act Implementation 



ERiC 30 



Chapter 3 

KxjH»rlrnccN of Six AKoncles Show 
ImprovoiuenU Arti NmliMl 



identifies duplicMto information (or information that is similar to a pre- 
determined degree), such data are considered **raw hits'* that need to be 
refined and verified. Matching is used for such purposes as detecting 
unreported income, duplicate benefits, overpayments, and ineligible 
recipients, 

A matching program by the former Department of Health, Education, 
and Welfare in 1977, called *Troject Match,'' is commonly cited as the 
federal goverrm\ent's first major computer matching effort. It involved 
comparing the computer tapes of welfare rolls and federal payroll files 
in 18 states, New York City, and Washington, D.C. The goal was to 
detect federal employees who were fraudulently receiving benefits 
through the Aid to Families with Dependent Children program. 

The constitutional and statutory legitimacy of computer matching has 
been questioned by a number of privacy advocates, most notably the 
American Civil Liberties Union which was primarily concerned about 
the impact of computer matching on individual rights. Their concern 
stems from the fact that a computer matching program is usually not 
directed at an individual — but rather at an entire category of persons — 
and not because any one of them is suspected of misconduct but because 
the category is of interest to the government. Privacy advocates are con- 
cerned that such programs — which they view as generalized **fishing 
expeditions" — may violate the Fourth Amendment right to be free from 
unreasonable searches and seizures. 

Opponents of computer matching also question its statutory authority. 
The Privacy Act restricts disclosure by federal agencies of personally 
identifiable information, unless the record subject consents or unless the 
records fall under one of 12 exceptions. One major exception to this rule 
involves the **routine use" provision, defined as the use of a record for a 
purpose which is compatible with the purpose for which the record was 
collected. Since administration of the Privacy Act is left almost entirely 
to the agencies it regulates, some agencies have developed broad routine 
use justifications for matching of personal records. The opponents of 
matching argue that these broad routine use justifications circumvent 
the underlying privacy principle that individuals should be able to exer- 
cise control over information about themselves which they provide to 
the government. 

Proponents of computer matching believe that the routine use compati- 
bility requirement should extend to disclosures that agencies perceive as 



EKLC 



Page 30 



31 



GAO/GGI>8C.107 Privacy Act Implementation 



Chiipler ;i 

Kx|M»rH*iUM»H of Six At(vni'loH H\\uw 



necessary, proper, and of benefit to the government. They feel that care- 
fully managed computer matching is a valid internal control technique. 
Further, the Congress has authorized the use of computer matching in 
various programmatic areas specified in several statutes, such as the 
Deficit Reduction Act of 1984. 

Under its Privacy Act oversight authority, omb in March 1979 issued 
matching guidelines **to aid agencies in balancing the government's need 
to maintain the integrity of Federal programs with the need to protect 
an individual's right to privacy." In May 1982, OMB revised its earlier 
guidance, clarifying parts and simplifying others. 

Matching programs covered by the guidelines entail a source agency and 
a matching agency. Source agencies disclose personal data to be used by 
the matching agency in performing the program. The guidelines specify 
that, before disclosing personal data, source agencies are to require the 
matching agencies to agree in writing that the data will not be used to 
extract information concerning **non-hit" individuals for any purpose. 
Matching agencies, according to the guidelines, are to publish a notice in 
the Federal Register, describing the matching program, and are to send 
copies of the notice to OMB and the Congress concurrently. 

The guidelines specify that certain types of matching programs are not 
covered by the provisions. Examples are 

• those which do not compare a substantial number of records, 

• checks on specific individuals to verify data in applications for benefits 
done reasonably soon after the applications are received, and 

• programs done by an agency using its own records. 



More Complete Data Needed 
on the Extent of Computer 
Matching 



Congressional hearings and various studies have documented that no 
accurate accounting exists on the number of computer matching pro- 
grams being conducted by federal agencies. We compared calendar year 
1983 computer matching statistics reported to OMB by the six agencies 
with data we obtained at the agencies. We also obtained information 
that agencies provided to the Office of Technology Assessment (ota) for 
its recent study of federal information technology.* We found that the 
agencies used varying criteria in reporting matching programs to omb. 
We also found discrepancies caused by poor recordkeeping. Overall, the 

^ Federal Government Information Technolog y : Electronic Record Systems and Individual Privacy . 
June 1986, OrA-CIT-296. 




Page 31 (fp GAO/GOM6-107 Privacy Act ImpIemenUUon 



(ytiiiplor!) 

Hx|H»rl4*iKTH 4»r Six Ak^'IH'Ii'h Show 



u^?encies participated in more matching programs than they reported to 
OMii and the Congress. 

For the preparation of the President's annual report to the Congress on 
Privacy Act implementation, OMB asks agencies to annually report the 
number of matching programs in which they participated as a source 
agency and as a matching agency. Table 3.1 shows the number of 1983 
programs the six agencies we reviewed reported to omb and the number 
of programs that we were able to identify. In many instances the pro- 
grams were conducted among two or more of the six agencies we 
reviewed; thus, adding the columns would overstate the total numbers. 



Table 3.1: 1963 Computer Matching 
Programs at Six Agencies 



Health and Human Services 


5 


19 


Interior 


2 


2 


Justice 


1 


2 


Labor 


13 


15* 


Treasury 


1 


5^ 


Veterans Administration 


21 


19° 



^Our reconciliation of Labor's prograrns showed that because of administrative error, Labor reported five 
programs that did not occur. It also conducted seven programs which it did not report to OMB. Labor 
believes that three of these programs were not subject to OMB's guidelines. We include them because 
in two cases, participant agencies reported them to OMB, and in the third case, the available documen- 
tation describes a program that we believe should also be reported to OMB. 



'^Includes four matching activities involving IRS that IBS believes may not be matching programs as 
defined by OMB guidelines. We include them because the four participant agencies .^jgreed with us that 
the programs are covered by the guidelines. 

*^We found that VA conducted two programs that it did not report to OMB. In addition, it reported four 
activities which it misidentified ; s matching programs. 



Number of Number of 

programs programs 

reported GAO 

to OMB identified 



Discrepancies Caused by Agencies* Most unreported matches were due to agencies' interpretations of the 
Interpretations of OMB Matching omb guidelines. Two agencies— the Internal Revenue Service and ;ths' 
Guidelines Office of Child Support Enforcement (ocse)— believed that their 

matching programs were not subject to omb's guidelines. Labor believed 
that three of its programs were not subject to the guidelines. Other agen- 
cies differed in how they reported matching programs that were per- 
formed periodically and extended over more than 1 year. 



EKLC 



Page 32 



33 

GAO/GK5D-86-107 Privacy Act Implementation 



KxiwricnccH of Six AKoucIoh SIkiw 
IiiiI»nivt'uu*iiU< Art* NohUmI 



During the course of our review four agencies — the Bureau of Prisons, 
SSA, ocsE, and Labor — indicated that they participated with ii\s in com- 
puter matching programs. In addition, iiis provided information to the 
OTA stating irs' participation in seven other matching programs during 
1983. An IRS official told us that information on computer matching 
activities is not reported to omb because iRS was exempt from the guide- 
lines. The official also said that data reported to OTA, and possibly by the 
four agencies, may be in error because this may have included computer 
activities that were not matching programs as defined by the omb guide- 
lines. He said thatiRS does not maintain readily available records that 
show how many matching programs it actually participated in because 
of its exemption. The official said that IRS would have to examine many 
computer operations to determine if they were matching programs as 
defined by omb*s guidelines. 

According to Treasury's Privacy Act officer. Treasury requested and 
received omb's approval to exempt iRS' tax administration matching pro- 
grams from adherence to the 1979 matching guidelines. The official 
explained that Treasury received assurance from omb that the 1979 
guidelines were not intended to apply to tax administration matching 
programs but rather to anti-fraud programs related to federal assistance 
type payments, such as va or other federal loans. Treasury also believed 
that section 6103 of the Internal Revenue Code provided sufficient safe- 
guards for personal data and that compliance with the guidelines would 
cause an unnecessary administrative burden. Treasury continued to 
apply this exemption after omb issued its revised guidelines. 

We discussed Treasury's belief that iRS is exempt from omb's 1982 guide- 
lines with omb's senior policy analyst for Privacy Act matters. This offi- 
cial said that, unlike the 1979 guidelines, omb's 1982 guidelines do not 
distinguish anti-fraud matching programs from other types, and conse- 
quently IRS needs to adhere to the 1982 provisions. On March 20, 1986, 
omb communicated its position to Treasury that irs should follow the 
guidelines. As of April 28, 1986, iRS had not responded to omb's position; 
although according to an Office of General Counsel attorney. Treasury 
continues to believe iRS is exempt. 

ocsE did not report at least two recurring 1983 matching programs in 
which it participated, ocse, with its parent locator service, was the 
source agency in programs with va and iRS to identify the addresses of 
missing parents. In addition to va and iRS, ocsE participates in such 
matching programs with dod, the Selective Service System, and the 



Page 33 34 GAO/G<5I>8e-l07 Privacy Act Implementation 



ERIC 



U\\lw\{^i\m\iH Art* Nwltul 



National Personnel Records Center. These programs arc generuUy con- 
ducted monthly, except for IHS' weekly operation. An ocsE official told 
us the agency's matching programs were not reported to om because 
OCSE believed omb's guidelines did not apply. According to this official, 
ocsE considered itself a *'conduit" for this matching activity — receiving 
data on absent parents from states, transmitting it to agencies for 
matching, receiving the results, and forwarding them to the states. ocsE 
did not consult with mis' Privacy Act staff or omd about this determina- 
tion. After our discussions, the official agreed that ocsE is subject to the 
guidelines and stated that iuture matching programs will be conducted 
in accordance with the guidelines and will be reported to Omb. 

Labor participated in three matching programs in 1983 that it did not 
report to omb. All three involved the Employment Standards Adminis- 
tration. It was source agency for (1) a one-time program with the 
National Aeronautics and Space Administration (Nasa) dealing with 
hearing loss claims at a NASA research center and (2) a program per- 
formed periodically with Interior to ensure that Labor charges Interior 
for only Interior employees* workers' compensation payments. In the 
third program, Labor was matching agency with the United Mine 
Workers Health and Retirement Funds as source. 

Labor's Privacy Act staff, using a similar rationale for the two source 
agency programs, determined that neither was subject to omb's matching 
guidelines. The reason given was that the computer tapes sent to NASA 
and Interior contained information on only those agencies' employees. 
Labor thus believed that both programs were, in effect, internal to the 
two agencies and not subject to the guidelines, nasa and Interior, on the 
other hand, published Federal Register notices for the matching pro- 
grams. The respective notices showed that these agencies considered the 
programs to be subject to omb's guidelines. Because the different inter- 
pretations by Labor and the two other agencies create inconsistent 
reporting, we discussed them with OMB*s senior policy analyst for Pri- 
vacy Act matters. This official said that the match with Nasa was sub- 
ject to omb's guidelines and should have been reported by Labor. He said 
he would have to further review Labor's program with Interior to deter- 
muie if it is subject to the guidelines. 

The third matching program that Labor did not report to omb is a recur- 
ring one that was created to assist the United Mine Workers Health and 
Retirement Funds in determining the eligibility for black lung benefits of 
that agency's beneficiaries. Where proper eligibility is ietermined, the 
program further assists in identifying the associated t ne operators 



Page 34 GAO/GGI>86-107 Privacy Act Implementation 

er|c 



who may be responsible for relinbuialng the source agency. Labor's Pri- 
vacy Act staff said they view the program as essentially u billing proce- 
dure whereby the allocation of benefit payments is determined. OMU, 
however, does not include programs such as this one as exceptions to its 
guidelines. Thus, we believe Labpr should have reported the program to 
OMD and, since the program is ongoing, should continue to do so. 

Inconsistent reporting to oMii on the number of matching programs agen- 
cies conducted also occurred because of the manner in which agencies 
treated programs that were initiated before 1983 but continued on a 
periodic basis, including the 1983 time frame. Interior, in responding to 
OMB's request for the number of matching programs participated in 
during 1983, included one that was initiated in 1982. This program is a 
recurring one, and because it was continued into 1983, Interior believed 
it should be included in the 1983 data submission to OMB. VA also fol- 
lowed this practice and included its participation in three programs that 
were initiated in earlier years, inis' Social Security Administration and 
Office of the Assistant Secretary for Persomiel, in contrast, did not 
report their 1983 participation in 12 programs that were initiated in 
prior years. , 

Unless participation in all matching programs is reported, extensive 
matching activities may occur but will not be reflected in the report to 
the Congress. 



Discrepancies Caused by Poor Other matching programs were incorrectly reported because of inaccu- 

Recordkeeping rate and incomplete recordkeeping. 

Labor did not report four matching programs to omb involving the black 
lung program, which is in the Division of Coal Mine Workers Compensa- 
tion. The Privacy Act coordinator for the Employment Standards 
Administration (which contains this division) said the computer 
matching paperwork did not go through his office. Following our 
inquiry, a workers compensation specialist in the division was assigned 
to locate documentation of the black lung matching programs. He was 
able to find very little matching-related paperwork until we described 
for him the data that Labor had provided for ofTA's recent federal infor- 
mation technology study. 

Labor's Employment Standards Administration reported that it con- 
ducted five matching programs involving the Federal Employees Com- 
pensation Act area in 1983. However, we found that the Administration 



EKLC 



Page 35 



36 



GAQ/GGlXSe-lOT Privacy Act Implementatton 



(Ud not poi'rnnn any prograius Tor this iiroa In 1083. 1'ho Privacy Act 
cooi'dlnator said he nuiy have been eonfused about how to Till out the 
om (lata request; the program ofl'ice had served as the source ageney 
for rive nuitehiuK programs, and he entered those correctly, 

The Administration's Privacy Act coordinator has initiated procedures 
to ensure that matching activities are properly reported in tiie future. 
The procedures require all components of the Administration, when pro- 
posing participation in a mutch, to contact the Privacy Act coordinator 
regarding the documentation and any omu clearance that may be neces- 
sary. FYirthcr, the Privacy Act coordinator must concur in all computer 
matching documentation. 

VA*s Department of Veterans Benefits reported four activities as source 
matching programs that were instead external releases of information 
for purposes other than computer matching. This department also did 
not report a one-time matching program that it conducted. Another pro- 
gram not reported by va involved the Office of Budget and Finance as a 
source. A member of the central office Privacy Act staff said an admin- 
istrative error caused the program not to be reported to omb. Because of 
our findings, the central office staff instituted computer matching 
reporting procedures that require va components to submit specific 
details on all of their matching programs to the central office, 

Finally, two unreported source agency programs occurred at Treasury 
and Justice. One involved Treasury's Office of Inspector General, which 
is organizationally within the Office of the Secretary. Labor was the 
matching agency. Treasury's Privacy Act officer said that since she is 
also located within the Office of the Secretary, she did not query compo- 
nents of that office about their matching activities since all matches 
would normally be reported to her before being conducted, The second 
matching program involved Justice's Bureau of Prisons as a source 
agency to iRS. According to the bureau Privacy Act officer, his records 
did not include this match; otherwise he would have reported it. 



Problems Noted Involving We reviewed 26 matching programs that were subject to omb*s 1982 
qnpcif ir Marrhing Activities guidelines^ and found that three agencies did not follow the guidelines' 
bpecitic Matcning acuviues ^^^^.^^^^^^ g ^^^^ programs. For three of the programs, agency Pri- 
vacy Act officers believed that more specific routine uses were needed 



^The six agencies were involved in 35 matching programs; 9 of these were subject to the 1979 guide- 
lines. These earlier guidei.M^<; contained different provisions from the 1982 version, especially 



p^ge 36 GAO/GGD-86.107 Privacy Act Implemenutlon 

o 3V 



EKLC 



Tor ivIiNisliin iMiorniation; Mowc^vor, tho infonnation was rcl(?a.scd before 
t lu* (llsolosiires vixiw \o lUvW attention. In one program, the source 
ajjency did not obtain a written aureeinent from the matching agency on 
ho^^* the data woiild be \ised, althoiigh It did obtain oral agreement. 
Kin;illy, in two other matching programs, an agency did not publish Fed- 
eral_ Register notices. We also found one instance where an agency dis- 
closed i-ccords to a nonfederal entity but, because OMB guidjuice is silent 
on such matching programs, did not p\iblish u Fculei^^^^ notice. 



The OMU guidelines instruct agencies serving as source agencies in 
matching programs to ensure that disclosures arc in accord with the Pri- 
vacy Act. The act, with 12 specific exceptions, disallows the disclosure 
of records without the record subject's consent. One exception, called 
the routine use provision, allows the disclosure if the records will be 
used in a manner that is compatible with the purpose for which they 
Were originally collected. The routine uses must be published as part of 
the public notice provided for the entire system of records. 

For the 26 matching programs conducted in 1983, we found that five of 
the six agencies participated as source agencies and made disclosures 
under the routine use provision on 17 occasions. Our analysis showed 
that generally the published routine uses were consistent with the pur- 
poses of the programs. However, in three instances. Privacy Act officers 
believed that sufficiently descriptive routine uses were not present in 
the system notices. According to the Privacy Act officers, the disclo- 
sures occurred before the matter came to their attention. 

Both Treasury's Office of Inspector General and irs were identified as 
source agencies for matches conducted by the Department of Labor. 
Labor performed the program to identify individuals who received 
unemployment insurance compensation during periods of federrl 
employment. It matched the employee payroll records of seven federal 
agencies with the unemployment insurance claimant records of 14 state 
employment security agencies. Treasury and iRS released to Labor cer- 
tain employee payroll data that they extracted from their payroll record 
systems. Treasury's Privacy Act officer told us that new routine uses 
more closely associated with the intended program should have been 
published before releasing the data. She said she could not recall being 
aware of the disclosures until after they occurred. She said routine uses 



regarding public notice; Federal Register publication was called for only in the 1982 guidelines. Conse- 
quently, we reviewed the 26 programs for compliance. 



Page 37 



GAO/GGI>S6-107 Privacy Act ImpIemenUtion 



allowlnn swh dlstiosurt^s wowH lu» pu'piiml and i)iil)llsho(l In tlu» 

Interior was also a .somro a^^oncy in Labor's unemployment comiH^nsu- 
tion nuUchinU program. At the request of Interior's Inspector General, 
several componenLs extraeted data fi'on\ multiple payroll systems for 
release to Labor. Interior s Privacy Act officer and an attorney In the 
Office of the Solicitor said that the issue of routine uses for the 
matching program was not addressed until after the disclosures were 
made. The attorney later reviewed the routine uses for each of the sys- 
terns and determined that one use was present in each of the notices that 
was sufficiently broad to permit the disclosures. However. Interior's Pri- 
vacy Act officer and a second attorney in the Solicitor's office believed 
that the cited routine uses in the system notices did not precisely 
describe the computer matching process to be used in the intended dis- 
closures. Therefore, after the disclosure for the matching program, Inte- 
rior published a specific new computer matching routine use for each of 
the payroll systems. 



Source Agency Agreements Under the omb guidelines, federal source agencies are responsible for 

obtaining written agreements from the matching agencies that specify 
the conditions governing the use of the matching files. The agreement is 
to make explicit the conditions under which disclosure will be made and 
is aimed at, among other things, assuring that the disclosed information 
will be used only for the intended purposes. Because the six agencies 
served as source agencies in 17 of the 26 matching programs, source 
agency agreements should have been obtained. We found with one 
exception that the agencies had them on file. 

The one exception involved the va which disclosed records to the 
Georgia Bureau of Employment Security as part of its program to match 
state wage records to identify any unwarranted payments of va pension 
and certain compensation benefits caused by beneficiaries' underre- 
porting or failing to report earned income. va*s Office of Inspector Gen- 
eral conceived and coordinated the program and published the matching 
notice in the Federal Register . The state agency, however, did not want 
to release its entire file, so va provided its data and the state agency 
performed the initial matching procedure. Although va obtained no 
written agreement, the Inspector General's Privacy Act staff said that 
Georgia officials orally agreed to the conditions outlined in the omb 
guidelines and returned the computer tape to va when the program was 



EKLC 



Page 38 



39 



GAO/GGI>S6-107 Privacy Act ImplcmcntAtion 



FiHleral lioglsit^r Noiiivs A ivs|H)nsil)iliiy itvilKiu'd to nuitchlUK uKt'nch'H by Ww omu Kul<ft lint*s is 

the publlnulon in the tXHtctilUlcKblcy^ u luHia* Ucncribing the 
matching proKnun, The notice, to bo publlf4he<l close lo the Initiation 
of the mutchlng program its |X)sslble/' Is to Inchule Hiich elemenui un a 
description of tlie iH^rnonal record^ to Ik> matt'hed aiul the Hufeguards to 
be Ufieil for protecting thin data. 

The six agencies we reviewed served as the matching agency In 14 of the 
20 n^atchlng programs. We found two Instances whea* an agency did not 
provide notice In the F^j^^rgl R^gi ^jg^D The notices were not pobllshed 
bcTaiise of m\ apparent misunderstanding as to which agency had this 
responsibility, The two programs involved ocsE and Army serving as 
source agencies to va's Department of Veterans Benefits. Both progran\s 
were conceived by and conducted for the benefit of the source agencies- 
The component's Privacy Act officer said staff involved in the progranvs 
told him the two source agencies had responsibility for matching notice 
publication since the programs were for their benefit, va records, how- 
ever, do not indicate that the issue of notice publication was discussed 
among the agencies sufficiently to ensure that agreement was reached 
on who had this responsibility. According to omd's guidelines va, as the 
matching agency, should have published the notices. 

One additional matching program for which a notice was not published 
highlights a shortcoming in the omb matching guidrMnes. Nonfederal 
organizations that use federal agency data in matching programs arc not 
required to publish notices in the Federal Register . Thus, a notice was 
not published for a program using ssa data where the Stale of California 
was the matching agency. The omb senior policy analyst for Privacy Act 
matters said the guidelines should be amended to provide that federal 
agencies publish notices when they participate as sources to nonfederal 
entities. This amendment could become even more significant in the 
future since the Deficit Reduction Act of 1984 requires, in effect, that 
federal/state matching activities be e5q)aiided. 



OMB Computer Matching In December 1983, omb issued a computer matching **checklist" to assist 
Checklist agencies in adhering to omb guidelines. Agencies are to complete the 

checklist and maintain it in their files. It contains several questions to be 
answered for each matching program in which agencies participate, 



Page 39 



'10 



GAO/GGim-107 Privacy Act UnplemrnUUon 



Chnpter 3 

ExiMsrienres of Six Agoncie« Show 
Improvement) Are Needed 



including whether and when (1) routine use provisions were published, 
(2) source agency agreements were obtained, and (3) a notice of the pro- 
gram was published. 

While the checklist could help prevent the problems we found for 
matching programs conducted in 1983, the agencies need to ensure that 
all components use it for their programs. We contacted Privacy Act staff 
at the agencies' 15 components that participated in matching programs 
in 1983 and found that the staff in 10 components were aware of the 
checklist. At 6 of the 10 components the staff told us the checklist had 
been used for one or more programs; the other 4 said they had not par- 
ticipated in any programs since the checklist's issuance, but it will be 
used when programs occur. At the remaining five components, which 
were involved in 18 of the 35 programs conducted in 1983, the Privacy 
Act staff were not aware of the checklist's existence. 



In Circular No. A-108, omb made agency heads responsible for con- 
ducting training for all personrel who are in any way involved in main- 
taining Privacy Act records for the purposes of (1) apprising them of 
their Privacy Act responsibilities and (2) familiarizing them with agency 
procedures for implementing the Privacy Act. In a December 1985 revi- 
sion, OMB strengthened its instructions and made agency heads respon- 
sible for annually reviewing agency training practices to ensure that all 
agency personnel are familiar with the act's requirements, agency imple- 
menting regulations, and any special requirements that their jobs entail. 

Although Privacy Act training was offered, it was not always monitored 
by agency or component Privacy Act officers to track employees who 
receive or need it. Discussions with the agency Privacy Act officers and 
37 components of the six agencies included in our review disclosed the 
following. 

• Two of the six agency Privacy Act officers said they were not involved 
in training because of resource constraints. Another two officers have 
provided training, although one stated that resource limitations have 
prevented his involvement over the past several years. The remaining 
two Privacy Act officers said that the training function is delegated to 
other units. 

• Thirty-three of the 37 components reported that Privacy Act training 
was provided and ranged from internal programs and discussion at man- 
agement conferences to external training courses, although in some 



Agencies Need to 
Better Monitor Privacy 
Act Training 



Page 40 41 GAO/GGIV86-107 Privacy Act Implementotion 



ERIC 



Chapters 

Experiences of Six AKencles Show 
Iinprovemeiita Are Needed 



instances attendance was r^^tional. Fourteen Privacy Act coordinators 
said they do not maintain data on who attended, 
• The remaining four components, at one agency, reported that they do 
not provide Privacy Act training. 

For its 1985 presidential report, OMB requested agencies for the first 
time to provide information on the Privacy Act training provided to 
employees. It, among other things, requested data on (1) the number of 
employees that had received training, (2) the criteria used in deciding 
who was to receive training, and (3) whether the training was internal 
or external. This information, which may be available from personnel or 
other records, should be useful to omb and the respective agencies in 
assessing Privacy Act training. 



The six agencies maintain over 1,400 systems of records containing mil- 
lions of records on individuals. As shown in chapter 2, they have highly 
decentralized delegations of responsibility for safeguarding the systems. 
Because of the sensitivity of the records and the organizational struc- 
tures, periodic evrluations are necessary if agency maiiagement is to be 
aware of how effectively the operations are being carried out as well as 
areas needing improvement. However, Privacy Act officers were able to 
identify only five reviews relating to Privacy Act operations in four of 
the six agencies since 1980. 



OMB's Guidelines Stress The Privacy Act espouses the principle that there are proper 

Internal Evaluations approaches to the management of information and that agencies should 

take affirmative steps to assure that their information management 
practices conform to a reasonable set of norms, omb incorporated this 
principle in its Circular Nos. A- 108 and A- 130. 

OMb's Circular No. A-108, published in 1975, required each agency **to 
establish a program for periodically reviewing agency record-keeping 
policies and practices to assure compliance with the Act.'' Circular No. 
A-130, issued on December 12, 1985, more specifically concerned com- 
pliance evaluations. Among the provisions of appendix I to Circular No. 
A-130 are the following. 

• Recordkeeping Practices . Review annually agency recordkeeping and 
disposal policies and practices in order to assure compliance with the 
act. 



Agencies Need to 
Evaluate Privacy Act 
Activities 



EKLC 



Page 41 



GAO/GOD^e-lO? Privacy Act Implementation 



Chapter 3 

Experiences of Six AKencle« Show 
Improvements Are Needed 



• Routine Use Disclosure. Review every three years the routine use disclo- 
sures associated with each system of records in order to ensure that the 
recipient's use of such records continues to be compatible with the pur- 
pose for which the disclosing agency originally collected the 
information. 

• Matching Pro g rams . Review annually each ongoing matching program in 
which the agency has participated during the year, either as a source or 
as a matching agency, in order to ensure that requirements are met. 

• Privacy Act Training . Review annually agency training practices in 
order to ensure that all agency personnel are familiar with the require- 
ments of the act, with the agency's implementing regulation, and with 
any special requirements that their specific jobs entail. 

We discussed the Circular No. A-130 requirements with the omb senior 
policy analyst who drafted them. He said the circular was issued to 
expand, clarify, and stress omb's expectations for agency evaluations of 
Privacy Act functions. He said the circular was also intended to aerve as 
an impetus for the agencies to emphasize internal reviews and provide 
sufficient priority to this function. 



Agencies Have Not 
Emphasized the Review 
Function 



Our work at the six agencies showed that emphasis has not been placed 
on evaluations of Privacy Act functions. Consequently, few evaluations 
have been conducted. 

The following summarizes the evaluation efforts of each of the six agen- 
cies we reviewed. 

While Treasury's Privacy Act directive does not address compliance 
evaluations, the agency Privacy Act officer's position description 
includes the responsibility for '^implementing and monitoring Depart- 
mentwide compliance with requirements of the Act." The Privacy Act 
officer said although compliance reviews have been planned, staffing 
constraints have forced postponement. The Privacy Act officer also said 
reviews were conducted at irs as part of the National Office Review 
Program. 

Interior's Privacy Act officer cited two evaluations conducted in 1984. 
As part of Interior's triennial review program under the Paperwork 
Reduction Act, the agency assessed aspects of safeguarding Privacy Act 
systems of records. The assessment found deficiencies and made recom- 
mendations in the areas of (1) posting warning notices to limit access to 
areas where Privacy Act materials are maintained and (2) disposing i 
Privacy Act materials. In addition, pursuant to a request by a Member 



ERIC 



Page 42 43 GAO/GGM6-107 Privacy Act ImplemenUtion 



Clmptor {] 

ExiM»rlt»ncoH of Six A|<cncleH Show 
IniprovtMiioiiUi Art* NocMlcd 



of Congress, Interior reviewed selected aspects of the Privacy Act and 
Freedom of Information Act. The reviev^ identified areas where imple- 
mentation and compliance could be improved including (1) improving 
the physical security and integrity of Privacy Act records and (2) noti- 
fying employees of the provisions of the Privacy Act, including its 
prohibitions. The Privacy Act officer told us that with only 30 percent 
of his time devoted to privacy matters he has been unable to conduct 
any reviews himself. He said that the agency's directive was revised in 
October 1984 to assign responsibility for onsite inspections to compo- 
nents and that some components began to conduct them in 1985. 

• Labor's directive states that the Solicitor will (1) direct the overall 
implementation of the Privacy Act and (2) review disclosure officers' 
decisions periodically to assure adherence to Labor regulations. The 
senior Privacy Act staff member told us that she does not have the 
resources to conduct reviews of how the Privacy Act is implemented. 

• VA does not have a comprehensive directive and its Privacy Act officer 
position description does not address evaluations. The Privacy Act staff 
was aware of two evaluations that were issued in 1980 and 1981. In 
1981, the Privacy Act staff reviewed the Privacy Act systems of records 
of the Department of Veterans Benefits and found that improvements 
could be made in accounting for disclosures and in protecting confiden- 
tial sources of information. In 1980, the Office of Inspector General 
issued a series of reports related to privacy and security controls of a 
major computer system. It reported the need for security audits and, at 
some installations, the need for Privacy Act training. 

• Justice does not have a directive and its position description for the Pri- 
vacy Act official does not include evaluation responsibility. The only 
review cited by officials was a 1983 internal audit report on the depart- 
ment's efforts to comply with the records protection requirements of the 
Privacy Act. It contained recommendations for the Justice Management 
Division (1) to more effectively monitor compliance with Privacy Act 
record security requirements and (2) to annually remind department 
components of their responsibility to identify records systems subject to 
the act and to prepare notices for those systems. 

• HHS has delegated full responsibility for the Privacy Act's implementa- 
tion to its major components. Our work at the ssa and the Health Care 
Financing Administration revealed that reviews of Privacy Act opera- 
tions were not conducted. The Privacy Act officer at the Public Health 
Service told us that, at her suggestion, elements of the Privacy Act's 
implementation were incorporated into an internal control review con- 
ducted pursuant to the Financial Integrity Act. Through this effort she 
identified the need for improved Privacy Act instructions and training. 
According to the Privacy Act officer, corrective actions were being 



43 ^ ^ GAO/GGD^l 07 Privacy Act Implementation 



ERIC 



Chapter 3 

ExiMjrloiicctf of Six Ai<encleH Sliow 
ItnprovetiieiiU Arc Needed 



taken. In January 1986, mis created an ad hoc committee to review the 
administration of the Privacy Act and to make recommendations for 
improvements. Among the areas planned for review vi^ere computer 
matching, computer security, and the compatibility of hhs procedures 
with 0MB guidance. On April 17, 1986, HHS officials told us that the com- 
mittee was in the process of determining how to meet the review 
requirements contained in OMB Circular No. A- 130. 



EKLC 



Page 44 



45 



GAO/GGD^5-107 Privacy Act Implementation 



Chapter 4 

Conclusions and Recommendations 



The Privacy Act of 1974 is the principal statute aimed at balancing the 
privacy protection rights of individuals with the information needs of 
federal agencies in conducting government business. As such, it assures 
individuals that records about themselves will be safeguarded and kept 
confidential. The act also places disclosure, recordkeeping, and safe- 
guarding requirements on federal agencies. 

During the years since the act's passage, the number of government-held 
records has increased dramatically, and more records are automated 
each year. Automated records and the proliferation of microcomputers 
expand the uses and access to personal records and, thus present diffi- 
cult privacy challenges that call for greater attention to Privacy Act 
requirements. However, the executive branch has not emphasized over- 
sight of the Privacy Act. To fulfill its responsibilities under the act, omb 
has adopted a reactive approach to oversight. Although this approach 
depends partially on following up on information provided by agencies 
for OMB's annual report to the Congress, 3 years elapsed between the 
publication of OMB*s 1981 report and the December 1985 publication of 
the combined Privacy Act report for 1982 and 1983. The fact that omb 
still has not published reports for 1984 or 1985 reflects the low priority 
it has given this program. At the same time, agencies have not empha- 
sized oversight of their own. 

Privacy Act activities are widely dispersed throughout agencies and 
their components. Consequently, the organizational structures estab- 
lished by agencies are decentralized in nature with primary reliance for 
compliance placed with local units that maintain and use individual sys- 
tems of records. Given this decentralized approach, basic management 
tenets suggest the need for clear delegations that assign responsibility 
and establish accountability as well as a central focal point to monitor 
and oversee the law's implementation. Our analysis showed that this has 
generally not been achieved. 

Agency directives and other memoranda that describe delegations for 
implementing the Privacy Act are unclear as well as incomplete. Of the 
14 agencies reviewed, three did not have directives which formally dele- 
gated responsibilities. The remaining 1 1 delegated responsibilities 
through agency directives but did not address all Privacy Act 
provisions. 

The role and functions of agency Privacy Act officers are less than 
needed to effectively coordinate and oversee the implementation of the 



Page 46 - GA0/GGM6-1 07 Privacy Act ImplementoUon 

er|c 



C'haplcr -i 

CoiicIunIoiih jiiuI UccoiiuuciuiatlouH 



act. We found that significant functions such as ensuring compliance 
and necessary Privacy Act training were not always assigned. 

Our detailed audit work at six agencies illustrated the need for closer 
attention to Privacy Act activities. Management in these agencies has 
been less than aggressive in reviewing initiatives to create new systems 
of records subject to the Privacy Act as well as decisions to automate 
existing systems. While omb calls for detailed analyses to be conducted 
on potential risks and needed safeguards for new systems of records, we 
found they were rarely prepared by agency program staff. Privacy Act 
officers seldom inquired about risk assessments. 

Although computer matching is one of the most controversial activities 
generating privacy concerns, agencies (1) did not have current, complete 
data on the extent of matching programs, (2) did not always follow 
omb's matching guidelines, and (3) differed in interpretation of the 
matching guidelines as to whether programs nteded to be reported to 
OMB. In addition, two component agencies ex'^^npted their matching pro- 
grams from omb's guidelines. We found no r "^-nce that omb was previ- 
ously aware of these discrepancies. The Pr. jy Act officers were not 
always involved in computer matching activities. 

While OMB guidance emphasizes the need to provide Privacy Act training 
to all personnel v/ho handle Privacy Act records, agencies need a more 
systematic means to assess or provide for training. Given our findings 
that Privacy Act requirements and OMB guidelines are not being consist- 
ently followed in the areas of computer matching, risk assessments, and 
system automations, the need for agency personnel to become more 
aware of these requirements and guidelines is apparent. 

In addition, the six agencies have not established systematic approaches 
for conducting compliance evaluations and providing management with 
feedback on Privacy Act activities. Privacy Act officers told us they do 
not have the resources to conduct evaluations themselves. 

The pervasiveness of such shortcomings leads us to conclude that Pri- 
vacy Act operations need a cohesive, articulated program aimed at 
assuring that such activities are conducted in full compliance with OMB 
guidance and the act's provisions. In our opinion, without more active 
involvement and monitoring by both OMB and agencies, there will be less 
than full assurance that Privacy Act functions are carried out in a 
manner that protects the privacy rights of individuals and balances 
these rights with the information needs of federal agencies. 



47 

Page 47 GAO/GGMft-l 07 Privacy Act Implementation 

o 

ERIC 



(*/<)il<!lllN(0|tN lllWl U4*(*0initU*M<lall<MtN 



oMij is currently planning to conduct a comprehensive review of its 1975 
guidelines on implementing the Privacy Act. We believe this effort is 
Timely in light of our findings. Revised guidelines with proper moni- 
toring and oversight can address many of the needed improvements and 
emphasize the management responsibilities for implementing the act. 
But the full potential effect of revised guidelines, as well as Circular No. 
A-130, may not be realized without omd leadership and active omb 
oversight. 



Because of omb's key role in managing executive branch operations and 
in light of the responsibilities assigned omb by the Privacy Act, we rec- 
ommend that the Director, omb, actively oversee agencies' implementa- 
tion of the Privacy Act. This would entail following up penodically to 
ensure agencies' adherence to Circular No, A-130 and other omb 
guidance. 

Because needed changes will require strong leadership by agencies, we 
also recommend that omb direct agencies to 

• review and update (or in some cases, prepare) directives that clearly 
delegate responsibilities and establish accountability for all Privacy Act 
functions; 

. specifically assign to the Privacy Act officers coordinating responsibili- 
ties for all Privacy Act activities and ensure that Privacy Act officers 
have the resources to fulfill these responsibilities; 

• systematically assess and provide for Privacy Act training to assure 
that personnel are aware of Privacy Act requirements and omb guidance 
pertaining to such functions as conducting detailed risk assessments, 
automating systems of records, and conducting computer matching pro- 
grams; and 

• assign responsibility for evaluating Privacy Act operations and moni- 
toring implementation of any recommended improvements. 

We also recommend that the Director, omb, review and clarify omb's 
guidance to agencies on automated systems of records and computer 
matching programs. 

• Circular No. A430's guidance on automating systems of records should 
provide more specific criteria on when agencies are to prepare a new 
system report and notice. This would result in greater consistency 
within and among agencies in recognizing the need to provide advance 
public notice and reports to omb and the Congress. 



Page 48 ^ Q GAO/GOD-86-107 Privacy Act Implementation 



EKLC 



C/OiicIuhUmih IUhmuuiiumuIiiUokh 



• Computer matching guidelines should specifically state that agencies are 
to annually report to omb all participation in matching programs initi- 
ated in prior years but conducted on a recurring basis. This would con- 
tribute to more complete data in omb's Annual Report to the Congress. 

• Computer matching guidelines should provide for public notice of com- 
puter n latching programs conducted by organizations not covered by the 
act when Privacy Act systems of records are disclosed by federal 
agencies. 

• Computer matching guidelines should instruct agencies to notify omb 
when, like irs and ocsE, they believe they are exempt from omb guide- 
lines. This would provide omb with the opportunity to review and 
concur. 



Agency ConUtientS and ^^'^ ^^""^ recommendations to be reasonable and that it 

^ T? * 1 f already working to implement some of them. It additionally pro- 

UUr HiVaJUailOn vlded several comments which are discussed below. 

OMB said the report should include a discussion of the Paperwork Reduc- 
tion Act of 1980. The Paperwork Reduction Act established a broad 
framework for managing federal information resources and integrated 
many related functions, including privacy protection, omb also said the 
report appeared to confuse the role of the senior agency official for pri- 
vacy matters and the working level Privacy Act officer. In a followup 
discussion, omb explained that, because Privacy Act functions are inte- 
grated with other information resource management duties. Privacy Act 
officers' activities may be supplemented by functions conducted by 
other groups such as agency Inspectors General and General Counsels. 

We cited the Paperwork Reduction Act in the report. However, we do 
not believe omb's conunents are pertinent to our findings or recommen- 
dations. Under the Paperwork Reduction Act, omb and agencies continue 
their responsibilities for implementing the Privacy Act. In fact, omb's 
1984 annual report under the Paperwork Reduction Act of 1980 stated: 

•The Act emphasizes the importance of protecting personal privacy of individuals 
against unwarranted intrusions by Federal agencies and strengthens authorities 
previously assigned to OMB by the Privacy Act of 1974." 

In addition, omb's 1985 Circular No. A-130 entitled, '^Management of 
Federal Information Resources/' which provided a framework for infor- 
mation management including the implementation of the Paperwork 



Page 49 49 GAO/GGim-lO? Privacy Act Implementation 




Reduction Act, continuod and, in some inslancos, strengthoncd agency 
Privacy Act responsibilities. 

We also agree that other agency activities supplement Privacy Act func- 
tions and the activities of the Privacy Act officer. As the report shows, 
Privacy Act activities arc ^A^idely dispersed and include program staffs 
as well as other groups such as the General Counsel. Rather than solely 
focusing on the Privacy Act officer, we worked with this individual as a 
focal point and contacted many other groups where either the Privacy 
Act officer or agency documentation suggested their involvement. The 
fact that many other groups are involved in Privacy Act activities reem- 
phasizes, in our opinion, the importance of a coordinating, focal point, 
such as the agency Privacy Act officer. These positions were established 
and located under the senior agency official for Privacy Act matters to 
coordinate Privacy Act implementation in the agency. 

OMB said that time spent by Privacy Act officers in administering the 
Freedom of Information Act and other disclosure statutes may comple- 
ment rather than compete with Privacy Act duties. We clarified the 
report to show that, because Privacy Act officers work on the Privacy 
Act part-time, their other duties must compete for time and resources 
regardless of whether the other duties are complementary or indepen- 
dent of Privacy Act responsibilities. 

OMB questioned whether we found a relationsnip between the level of 
the Privacy Act officer in the agency and the accomplishment of his or 
her duties. We did not attempt to determine such a relationship. We did, 
however, include Privacy Act officers* locations and grade levels as part 
of our overview of how agencies have organized to implement the Pri- 
vacy Act. 



Page 60 



50 

GAO/GGim-107 Privacy Act tmplemenUtion 



Ap\>ondix I — ^ — 

Letter Dated January 4, 1984, fVom the 
Chairman of the Subcommittee on Government 
Information, Justice, and Agriculture 



Congress of the lanltc^ ^tatea 

*iouBt Of HtprtBtntatttjt^ 

GOVERNMENT INFOnMATlOH. JUSTICE. A|^^ /^GRirvjLTUf^E 
SUBCOMMITTEE 
Qt m 

COMMimC ON GOVERNMENT Of»^^riONS 
WaiminotON' J> C. 208^5 

January ^^^^ 



Mr. Charles Bowsher 
Comptroller General 
General Accounting Office 
441 G Street, 
Washington. D. C. 20548 

Dear Mr . Bowsher : 

This Subcommittee recently completed an investigation of 
Che oversight of the Privacy Act of J^><^ by the ^t^ice ot 
Management and Budget. The Subcommict^^ » ^ effort tesulred in 
a report (House Report 98-455) adopted the Committee on 
Governttienc Operations at the end of ch^ first ^^^^ion ot this 
Congress. The report generally conduci^d chat OMB»g Privacy 
Act oversight efforts were deficient nvx^ recommended, inter 
alia, that there be better government-Vj^de Priv^^cy ^ct oversight 
and that there be better repregentatior^ privacy interests In 
government decision making. 

Some of the problems with 0Mb* s Pt^v^cy ACC efforts may 
also be characteristic of Privacy ACt ^^civities at individual 
agencies. The regular review c?f systett^ n^^ice^ an^ proposed 
routine uses by the Subcommittee inalc^^.gs that t^^^e may be 
organizational and other short c^omings With the way ^-hat agencies 
respond to Privacy Act requirements. While some agencies- 
most notably the Department of Def ense^^^^ve model programs, 
other agencies place Privacy Ac:t operat^^onal responsibilities 
at a low level, fail to give tMe agency privacy Act officer 
a meaningful voice, or ineffectively CQ^j^dinate t'rivacy Act 
issues among multiple agency coioponent^ ^ 

I would like to enlist the asslst^j^^e of the General 
Accounting Office in reviewing the org^j^^zationai structure and 
effectiveness of Privacy Act operation^ maj^^^^ departments 
and agencies. The main purpose of ^"^^ assignment is to 
determine if agencies have accorded su^^^cient institutional 
importance to Privacy Act matters to rn^^t: che requirements of 
the Act. 



EKLC 



Page S2 



^y^O/CKSIV^lOr Privacy Act Implementation 

51 



(lOVcntiiit^Mt lnforiitn(luii»JiiH(lct*, 
mu\ AKrlcuUiirn 



Mr. Charlen Hows ho r 
January A, 19B4 



In flddlclon, I would Like GAO to dL'tormlnc If major agencleB 
are suitably organized to ponnit idenc if Icac Ion and consideration 
non-Privacy Act privacy issues in cho ordinary course of ajiency 
buslncsa. My concern Is chat privacy mutters chat do not arise 
in the context of the Privacy Act uv other specific legislation 
relating to privacy are not addressed. 

Finally, I would like GAO to review the privacy policy 
activities of the National TelccommunicQt ions and Information 
Administration at the Department of Commerce. NTIA had been 
vury active with privacy issues prior to 1981, and I want to 
know if privacy work i3 continuing at NTIA and, if not, why 
not • 

Subcommittee counsel Robert Gellman can provide your staff 
with more Information and direction with respect to this request. 




Sincerely 



Enclosure 



Q Page 63 O GAO/GGIW6-107 Privacy Act ImplemenUUon 

ERIC 



Aj}j)en(llx H 

Location and Resources of Component Priva<;y 
Act Staff 



Aaencv/connDonont 


OrganUatlonel entity _ 


Immediate office 


Qredo 


Eitimatod •tefl^#rj|L_ 
Privacy Act 

otflcot^ Staff 


Health and Human Sarvlcea 












Health Care Financing 
Adminiatration 


UiiiCO Oi MQnagBmoni una 
Budget 


Ronortn Mnnooemont Branch 


12 


1 


u 


Office of Inapoctor General 


Office of Analysis and 
inspeciion 


Management and Operations 

niv/ieinn 


15 


02 




Office of the Assistant 
Secretary for Personnel 
Administration 


vjiiico 01 rori'Jnnoi 
Administration 


r^iv/tciinn nf Por<iOnnol PrtliCV 


12 


.40 


0 


Public Health Sorvico 


Office of the Assistant 
Secretary for Health 


Division of Directives and 
Authorities Management 


14 


.40 


, 1(1) 


Social Security Administration 


Office of Operational Policy and 
Procedures 


Division of Technical 
Documents and Privacy 


15 


.40 


801(9) 


Interior 












Bureau of Indian Affairs 


Office* of the Commissioner 


Office of Administration 


'^'^^SES'^ 


.001 


.30(1) 


Bureau of Mines 


Management Services 


Division of Property and 
General Services 


14 


.05 


50(1) 


Bureau of Reclamation 


Office of Assistant 
Conr^mlssioner for 
Adnnlnlstration 


Assistant Commissioner for 
Administration 


SEb 


.03 


14(2) 


Geological Survey 


Administrative Division 


Special Programs Section 


13 


.15 


.05(1) 


Minerals Management Service 


Office of Administration 


Records Management Branch 


12 


.10 


0 


National Park Service 


r ersonnei ano Maminisuaiivo 
Services 


AHmini^trAtive Services 
Division 


15 


.02 


205(1) 


Office of Administrative 
Services 


Division of General Services 


Division of General Services 


14 


.01 


0 


Office of Aircraft Services 


Office of the Director 


Office of the Director 


8 


.03 


0 


Office of Inspector General 


Assistant Inspector General for 
Administration 


Assistant Inspector General for 
Administration 


13 


.05 


.05(1) 


Office of Personnel 


Division of Program 
Coordination and Evaluation 


Division of Program 
Coordination and Evaluation 


14 


.02 


0 


Office of Surface Mining 
Reclamation and Enforcement 


Directorate of Budget and 
Administration 


Division of Personnel 


SES 


.05 


.20(1) 


Office of Youth Programs 


Administration Division 


Associate Director for 
Administration 


15 


.01 


.01(1) 


United States Fish and Wildlife 
Service 


Office of Assistant Director- 
Administration 


Regulations and Management 
Peviev^ Branch 


14 


.01 


•04(2) 


Justice - 


Bureau of Prisons 


Office of General Counsel 


Office of General Counsel 


13 


.40 


.75(1) 


Civil Division 


Office of Deputy Assistant 
Attorney General, Office of 
Immigration Litigation. Office of 
Consumer Litigation, Executive 
Office, and Freedom of 
Information and Privacy Acts 
Unit 


Freedom of Information and 
Privacy Acts Unit 


13 


.SO 


.90(3) 



ERIC 



Page 64 



GAO/GGM6-107 Privacy Act IitiplcmenUtloii 



AQoncy/componont 


Orgtinlxotlonal ontity 


Immodtato office 




Privacy Act 
Of iicsr^ 




Civil fliflhta Division 

Exocutivo Oflico for U S 
Altornoya 

Immigration and Naturalization 
Sorvico 

Land and Natufol Rosoiirceii 
Division 


t- Kocutivo Oflico 

LoOiil Sufvicorj Divi'SiOfi 

Office of iho Aasocmlo 
Commisaionor' Informolion 
Systems 

Office of Deputy Asmatanl 
Atlornoy Gonoral 


f retJdOfrt of lnlorfn4tion/ 
Privacy Acta Orftnch 

Information Services Grancfi 

Policy. Legislation and opt-cut 
Litigation Section 


11 
1& 

14 

IS 


AO 

20 

50 
01 


15(0) 

3 10(14) 

m) 


Office of Information and 
Privacy 


Office of Infoimalion and 
Privocy 


Olfico of lnformatK)n and 
Privacy 


15 


20 


United States Marshals Service 
Uijor 


Office of Legal Counsel 

~. .-^.^^^-^ . 


Freedom ol Information/ 
Privacy Act Office 


14 


95 


1 50(3) 


Enc'oymont Standards 
Administration^ 

Office of Inspector General 


OlTice of Management, 
Admmistrotion ond Planning 

Office of Inspector General 


Branch of Office Services 
Office of Inspector General 


12 


05 
■ 10 


02(2) 
1 . !?<]> 

0 


Office of the Assistant 
Secretary for Administration 
and Management*^ 


Directorate of Information 
Resources Management 


Office of Information 
Management 


13 


01 


Treasury 












Huieau of the Public Debt 


Office of the Commissioner 


Office of the Commissioner 




in 


irvi> 


Internal Revenue Service 


Associate Commissioner for 
Policy and Management 


Disclosure and Security 
Division 


SES 




m 


Office of Inspector General 


Office of Inspector General 


Office of the Director for 
Administration 


12 




Office the Comptroller of the 
Currency' 


Office of the Chief Counsel 


Legal Advisory Services 
Division 


14 


20 






Deputy Comptroller for Industry 
and Public Affairs 


Communications Division 


13 


03 


03(1) 


U.S. Customs Service 


Office of Commercial 
Operations 


Disclosure Law Branch 


15 


25 


2 50(5) 


Vetera.13 Administration 












Department of Medicine and 
Surgery 


Office of the Assistant Chief 
Medical Director for 
Administration 


Medical Administration Service 


SES 


05 


.55(2) 


Department of Veterans 
Benefltr 


Administrative Services Staff 


Administrative Services Staff 


14 


.15 


140(6) 


Office or Inspector General 


Office of Assistant Inspector 
General for Policy, Planning 
and Resources 


Policies and Procedures 
Division 


SES 


05 


75{2) 



54 



I'«»«85 i GAO/GGI>«6-107 Privacy Act Implementation 



ERIC 



Appendix II 

Location and Pesources of Component 
l*rivacy Act Staff 



°The first column represents the Privacy Act officer's time spent on Privacy Act functions; the second 
column represents the staff's estimated time spent; and the number in parentheses is the total number 
of staff available. 

^Idontified by the agencies as being the focal point for Privacy Act coordination and/or oversight. These 
individuals have various titles. For purposes of this report we refer to them as component Privacy Act 
officers. 

*^Does not include resources devoted to access and disclosure requests by disclosure officers. 

*^Figures include Privacy Act officer and immediate staff. However, according to an IRS official, the time 
for the Privacy Act officer and staff in the National Office and field locations cannot be appropriately 
broken down between Privacy Act duties; related activities which support, duplicate, or supplement the 
Privacy Act; and privacy issues not covered by the act. Consequently, the full operation involves an 
estimated 292 staff years. 

^Includes Freedom of Information Act duties. Privacy Act officer said she could not separate these from 
Privacy Act duties since all first-person requests involve both acts. 

'At the Office of the Comptroller of the Currency, no single Privacy Act officer has been formally desig- 
nated. Legal and administrative responsibilities are assigned to a senior attorney and a public affairs 
specialist, respectively. 




EKLC 



Page 66 



GAO/GGIX86-107 Privacy Act ImplemenUtion 



AppenUAX III 



Comments From the Office of Management 
and Budget 



IS 5^11 




EXECUTIVE OFFICE OF THE PRESIDENT 
OFFICE OF MANAGEMENT AND BUDGET 
WASHINGTON, D.C. 20503 



JUN 23 1986 

Mr. William J. Anderson 
Director 

United States General 

Accounting Office 
Washington, D.C. 20548 

Dear Mr. Anderson: 

This is to confirm and reiterate the analysis of your draft 
report, "Privacy Act: Federal Agencies' Implementation Can Be 
Improved," provided to your staff orally by Robert N. Veeder ot 
my staff. 

The main points we wish to emphasize are these: 

o The report* does not address the effect of the Paperwork 
Reduction Act of 1980 on both the agencies' 
implementation of the Privacy Act of 1974 and OMB's 
oversight responsibilities. We think this is a serious 
omission . 

o In the discussion of the role of the departmental Privacy 
Act officer, the report appears to confuse the role and 
responsibilities of the senior official and the working 
level privacy officer . Again, we think it is important 
to address the Paperwork Reduction Act dimension here. 

o In analyzing the percentage of time PA officers spend on 
non-privacy matters, we think it is important to note 
that the time they spend administering the Freedom of 
Information Act or other similar disclosure or 
confidentiality statutes is time spent in a compl ementing 
and not necessarily competing activity. 

o We also think that the section analyzing the role of the 
Privacy Act officer needs a bottom line: is there a 
relationship between the level of the PA officer and the 
accomplishment of his or her duties? We also note 
parenthetically that the report, in focusing solely on 
the PA offictr, misses opportunities to document other 
ways in which the Act is implemented - i.e., what is the 
role of the Inspector Coneral or the General Counsel? 



EKLC 



Page 57 



GAO/GGDW107 Privacy Act Implementation 



Appendix III 

Comments From the Office of Monngemcnt 
and Budget 



As to the recommendations, we think they are reasonable in light 
of the report's findings. Some, in fact, we have been working to 
implement . 

Thank you for the opportunity to comment on the draft. 

Sincerely, 

Wendy L. Gramm 

Administrator for Inform-ition 
and Regulatory Affairs 



Page '^^ 



5V 



GAO/GOM5-107 Privacy Act Implementation 



Glossary 



Not addressed by the Privacy Act, but omd defines it as **a procedure in 
which a computer is used to compare two or morr^ automated systems of 
records or a system of records with a set of non-Federal records to find 
individuals who are common to more than one system or set. The proce- 
dure includes all of the steps associated with the matching program, 
including obtaining the records to be matched, actual use of the com- 
puter, administrative and investigative action on the hits, and the dispo- 
sition of the personal records maintained in connection with the 
program. It should be noted that a single matching program may involve 
several matches among a number of participants." 



Hit Defined by omb as the identification, through a matching program, of a 

specific individual 



Matching Agency Defined by omb as the federal agency which actually performs me 

matching program. 



Notice of Match omb matching guidelines call for matching agencies to publish in the Fed- 

eral Re g ister a brief notice describing the matching program which 
includes the following items, 

1. The legal authority under which the program is being conducted. 

2. A description of the matching program including whether the pro- 
gram is one time or continuing, the organizations involved, the pur- 
pose(s) for which the program is being conducted, and the procedures to 
be used in matching and following up on the **hits/* 

3. A complete description of the personal records to be matched, 
including the sources(s), system of records identifying data, date(s) and 
page number(s) of the most recent Federal Register full text publication 
where appropriate. 

4. The projected start and ending dates of the matching program. 

5. The security safeguards to be used to protect against unauthorized 
access or disclosure of the personal records. 



Computer Matching 
Program 



EKLC 



Pago 59 



58 



GAO/GGim.107 Privacy Act Iniplemenuttlon 



GlosBiiry 



6. Plans for disposition of the source records and **hits." Agencies 
should send a copy of this notice to the Congress and to the Office of 
Management and Budget at the same time it is sent to the Federal 
Register . 



Record Defined by the Privacy Act as **any item, collection, or grouping of 

information about an individual that is maintained by an agency, 
including, but not limited to, his education, financial transactions, med- 
ical history, and criminal or employment history and that contains his 
name, or the identifying number, symbol, or other identifying particular 
assigned to the individual, such as a finger or voice print or a 
photograph." 



In its Circular No. A-130, 0MB established criteria for agencies to detc. 
mine when a RONS must be submitted to \i and the Congress, omb also 
specified the content of the report to include a brief narrative statement 
which (1) describes the purpose of the system, (2) identifies the 
authority for maintairung the system, (3) provides the agency's evalua- 
tion of '*the probable or potential effect of such proposal on the privacy 
and other personal or property rights of individuals or the disclosure of 
information relating to such individuals and its effect on the preserva- 
tion of the constitutional principle of federalism and separation of 
power'* (required by the act), and (4) provides a brief description of 
steps taken by the agency to minimize the risk of unauthorized access to 
the system of records including a discussion of higher or lower risk 
alternatives which were considered for meeting the requiremei.ts of the 
system. A more detailed assessment of the risks and specific: administra- 
tive, technical, procedural, and physical safeguards established is to be 
made available upon request. 



Risk Assessment requires that a Report on New System include a brief description of 

steps taken by the agency to minimize the risk of unauthorized access to 
the system of records. A more detailed assessment of the risks and spe- 
cific administrative, technical, procedural, and physical safeguards 
established is to be made ^^vailable upon request. 



Routine Use Defined by the Privacy Act as **with respect to the disclosure of a 

record, the use of such record for a purpose which is compatible with 
the purpose for which it was collected.'* 

Q Page 60 59 GAO/GGD^IOT Privacy Act Implementotion 

ERIC 



Report on New System 
(RONS) 



GloNflary 



Safeguards The Privacy Act requires agencies to **cstablish appropriate administra- 

tive, technical, and physical safeguards to insure the security and confi- 
dentiality of records and to protect against any anticipated threats or 
hazards to their security or integrity which could result in substantial 
harm, embarrassment, inconvenience, or unfairness to any individual on 
whom information is maintained/' 



Source Agency Defined by omd as the federal agency which discloses records from a 

system of records to be used in a computer matching program. 



System Notice The Privacy Act requires each agency to publish in the Federal Reg ister 

a notice of the existence of each system of records which includes: 

1 . the name and location of the system; 

2. the categories of individuals on whom records are maintained; 

3. categories of records; 

4. routine uses; 

5. agency policies and practices for storage, retrievability, access con- 
trol, and disposal of records; 

6. the title and business address of the agency official responsible for 
the system; 

7. procedures for notifying individuals of records maintained on them; 

8. agency procedures on how individuals may gain access to records 
kept on them in a system of records; and 

9. categories of sources of records in the system. 



System of Records Defined by the Privacy Act as a **group of any records under the control 

of any agency from which information is retrieved by the name of the 
individual or by some identifying number, symbol, or other identifying 
particular assigned to the individual." 



EKLC 



Page 61 



GAO/GGim-107 Privacy Act ImplementaUon 



(iloNHnry 



Written Agreements om^^ matching guidelines state "prior to disclosing to either a Federal or 

non-Federal entity, the source agency should require the matching 
entity to agree in writing to certain conditions governing the use of the 
matching file, e.g.: that the matching file will remain the property of the 
source agency and be returned at the end of the matching program (or 
destroyed as appropriate); that the file will be used and accessed only to 
match the file(s) previously agreed to; that it will not be used to extract 
information concerning *non-hit* individuals for any purpose; and that it 
will not be duplicated or disseminated within or outside the matching 
agency unless authorized in writing by the source agency.'* 



Q '%6I84) 

ERIC 



Page 62 



6i 

GAO/GGO-S5-10'7 PrU i vlmplemtr' >ri 



KequosLs for copies of gao reports should be sent to: 

U.S. General Accounting Office 
Post Office Box 6015 
Gaithersburg, Maryland 20877 

Telephone 202-275-6241 

The first five copies of each report are free. Additional copies are 
$2.00 each. 

There is a 25% discount on orders for 100 or more copies mailed to a 
single address. 

Orders must be prepaid by cash or by check or money order made out to 
the Superintendent of Documents. 



